Intelligent services for application dependency discovery, reporting, and management tool

ABSTRACT

Techniques for monitoring operating statuses of an application and its dependencies are provided. A monitoring application may collect and report the operating status of the monitored application and each dependency. Through use of existing monitoring interfaces, the monitoring application can collect operating status without requiring modification of the underlying monitored application or dependencies. The monitoring application may determine a problem service that is a root cause of an unhealthy state of the monitored application. Dependency analyzer and discovery crawler techniques may automatically configure and update the monitoring application. Machine learning techniques may be used to determine patterns of performance based on system state information associated with performance events and provide health reports relative to a baseline status of the monitored application. Also provided are techniques for testing a response of the monitored application through modifications to API calls. Such tests may be used to train the machine learning model.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of prior U.S. application Ser. No.16/454,562 filed on Jun. 27, 2019, the entirety of which is incorporatedherein by reference.

This application is related to the following U.S. Patent Applications,filed on the same day as U.S. application Ser. No. 16/454,562:

-   -   U.S. patent application Ser. No. 16/454,551, now U.S. Pat. No.        10,521,235, titled “DETERMINING PROBLEM DEPENDENCIES IN        APPLICATION DEPENDENCY DISCOVERY, REPORTING, AND MANAGEMENT        TOOL” and filed on Jun. 27, 2019;    -   U.S. patent application Ser. No. 16/454,569, titled “BASELINE        MODELING FOR APPLICATION DEPENDENCY DISCOVERY, REPORTING, AND        MANAGEMENT TOOL” and filed on Jun. 27, 2019;    -   U.S. patent application Ser. No. 16/454,579, titled “DEPENDENCY        ANALYZER IN APPLICATION DEPENDENCY DISCOVERY, REPORTING, AND        MANAGEMENT TOOL” and filed on Jun. 27, 2019;    -   U.S. patent application Ser. No. 16/454,595, titled “DISCOVERY        CRAWLER FOR APPLICATION DEPENDENCY DISCOVERY, REPORTING, AND        MANAGEMENT TOOL” and filed on Jun. 27, 2019;    -   U.S. patent application Ser. No. 16/454,601, titled “TESTING        AGENT FOR APPLICATION DEPENDENCY DISCOVERY, REPORTING, AND        MANAGEMENT TOOL” and filed on Jun. 27, 2019; and    -   U.S. patent application Ser. No. 16/454,611, titled “INTELLIGENT        SERVICES AND TRAINING AGENT FOR APPLICATION DEPENDENCY        DISCOVERY, REPORTING, AND MANAGEMENT TOOL” and filed on Jun. 27,        2019.        The entirety of each of the related applications is incorporated        by reference herein for all purposes.

FIELD OF USE

Aspects of the disclosure relate generally to monitoring system statusin computer systems. More specifically, aspects of the disclosure mayprovide for enhanced monitoring of application health and facilitateidentifying dependencies causing reduced system performance or anotherunhealthy system status.

BACKGROUND

Computer systems and applications have become an increasingly complexweb of interdependencies, as numerous complex systems are internetworkedin support of modern commerce. A single account access request by a usermay result in hundreds of calls to Application Programming Interfaces(APIs) and other services relied on by a front-end or other application.Applications may be structured to rely on multiple other dependencies toprovide and modify data hosted and/or controlled by other systems. Thesedependencies may be used to provide information to hundreds of thousandsof requests every hour, for example. Performance problems at thesedependencies may result in the application entering an unhealthy state,for example leading to the application being unable to retrievenecessary data or timing out on user requests. In a high-traffic system,this quickly means that a large number of requests, transactions, andother actions are disrupted.

Service impacts due to performance problems in complex systems can bevery damaging. The duration, number of impacted users, and extent ofimpact to service can increase the profile of a system outage or otherunhealthy event. Some companies are subject to reporting regulations asservice impacting events meet certain severity criteria. Thus, it can becritical to quickly diagnose and address a root cause of a performanceproblem in a complex application dependency setting.

Most troubleshooting processes rely on human administrators making useof multiple systems/monitors/alerts and then tracing break events backto a source, trying to find the first one thing that broke. The abilityto correlate or delve into the dependencies that are affecting thesystem in question is a challenge in existing solutions. If any givenset (one or many) of those dependencies fails, both that set and theactual system may suffer an error. System administrators work todifferentiate the root cause, the first break, the impact chain ofcascades, and how to address the break event. Users would need to usemultiple different systems for each purpose and then aggregate issuesand reports together mentally/visually using whatever tools they have.

System philosophies such as “you build it, you own it” may provide clearpoints of contact for troubleshooting. But owners responsible for asystem that is healthy but for downstream dependencies would need toreach out to other administrators responsible for each dependency,triggering a cascade of calls each taking potentially tens of minutes.This requires slow and careful effort by the system administrators,which can mean that problems persist for extended times as root causesare determined and corrective action is taken.

Monitoring tools such as dashboards may allow system administrators toview various metrics related to system operation. Experienced sysadminsmay be able to leverage these dashboards to identify likely causes ofsystem instability. Monitoring interfaces, provided by monitoringinterface applications such as Splunk and Elastic (ELK) may facilitatethe creation of dashboards by creating interfaces to surface variousoperating statistics for an application and allow inspection ofapplication attributes. However, these monitoring interfaces stillrequire the experience of a system administrator to select the properattributes to monitor, and to read the tea leaves during an unhealthystate to determine a root cause. And the monitoring interfacesassociated with an application may only provide information about thestate of the application itself, and not surface particular issues inapplication dependencies. In existing solutions, system administratorsresponsible for an application use monitoring and alerting toolsconfigured to look at their own system. When an alert is detected, theyinvestigate and take corrective steps. When a dependency impacts asystem, the impacted system has to manually contact the dependencyowning team and convince them of impact and need to take steps. Thisapproach may fall short in complex systems or due to the nature of theimpact. Furthermore, the impact is not always apparent as it can rangefrom total system failure to nothing at all. This creates opportunityfor human error and judgment errors that carryforward small mistakesthat, over time, can also lead to system failure.

Aspects described herein may address these and other shortcomings inexisting solutions. Novel aspects discussed herein may facilitateimproved monitoring of system health based on application dependencies,and may allow for reduced incident recovery time and increased systemresiliency. Quickly singling out a source of brokenness in a complexsystem can avoid otherwise lengthy troubleshooting involving many othersystems. This may reduce wasted effort spent by system administratorshunting a root cause. And through use of monitoring interfaces, aspectsherein may provide monitoring of dependencies without requiringadditional connections and modifications to integrate monitoringservices.

SUMMARY

The following presents a simplified summary of various aspects describedherein. This summary is not an extensive overview, and is not intendedto identify key or critical elements or to delineate the scope of theclaims. The following summary merely presents some concepts in asimplified form as an introductory prelude to the more detaileddescription provided below.

According to some aspects, a monitoring application may be configured tocollect and report the operating status of a monitored application andeach of the dependencies of the monitored application. Through use ofexisting monitoring interfaces provided by a monitoring interfaceapplication, the monitoring application may collect operating statuswithout requiring modification of the underlying monitored applicationor dependencies. Aspects described herein may allow the monitoringapplication to determine a problem service that is a root cause of asystem outage or other unhealthy state of the monitored application. Themonitoring application may traverse a dependency tree for the monitoredapplication to identify the problem service.

Other aspects described herein may provide methods for automaticon-boarding and/or configuration of the monitoring application for agiven monitored application. Data lineage documentation, API call logs,and other resources may be parsed to determine dependencies of themonitored application. The system may map out the dependencies of themonitored application and build a logical dependency tree for use inidentifying the root cause of performance issues. A crawler mayautomatically identify relevant monitoring interfaces provided by themonitoring interface application based on the mapped dependencies.Updates to the dependencies of the application, or to the availablemonitoring interfaces, may be automatically detected and used to keepthe monitoring application up to date.

And other aspects described herein may provide methods that utilizemachine learning techniques to determine patterns of performance basedon system state information associated with performance events. Systemstate information for an event may be collected and used to train amachine learning model based on determining correlations betweenattributes of dependencies and the monitored application entering anunhealthy state. During later, similar events, the machine learningmodel may be used to generate a recommended action based on pastcorrective actions. The monitoring application may also use informationabout baseline performance and unhealthy performance events to generatea health report using the trained model, indicating to a userinformation such as a predicted likelihood that the monitoredapplication will enter an unhealthy operating state. This may allow thesystem to proactively provide users with information about and predictpotential conditions that may cause the monitored application to becomeunhealthy. It may also allow the system to reactively generaterecommended actions to restore the monitored application to a healthystate.

Still other aspects described herein relate to a method for testingresiliency of the system to outage of APIs and other services. Aninterceptor may intercept calls from a monitored application to an APIthat the application depends on. The intercepted calls may be modifiedand passed on, in such a manner that they return failed and/orunexpected results to the application. The interceptor may modify aresult returned to an API call, such as by causing a portion of calls totimeout or yield errors. The interceptor may monitor performance of theapplication based on the modified calls and determine whether themonitored application is able to recover from the simulated APIproblems. The intercepted calls may be cached prior to modification,allowing the interceptor to regenerate the unmodified calls and insertthem into a queue for processing if that monitored application is notable to recover. According to some aspects, the interceptor andsimulated API problems may be used to train the machine learning model.The interceptor may act as a chaos agent, operating within the system tosimulate problems at the various API dependencies (and otherdependencies) of the monitored application. This may allow for testingon live deployments with reduced impact to users.

Corresponding apparatus, systems, and computer-readable media are alsowithin the scope of the disclosure.

These features, along with many others, are discussed in greater detailbelow.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIG. 1 depicts an example of a computing device that may be used inimplementing one or more aspects of the disclosure in accordance withone or more illustrative aspects discussed herein;

FIG. 2 depicts an example operating environment used to discussillustrative aspects of systems and methods for monitoring and reportingstatus of dependencies of a target application according to one or moreaspects of the disclosure;

FIGS. 3A and 3B depict an example where a problem in the operatingenvironment is causing the target application to behave in an unhealthymanner, according to one or more aspects of the disclosure;

FIG. 4 depicts an example architecture for a monitoring applicationaccording to one or more aspects of the disclosure;

FIGS. 5 and 6 depict flowcharts illustrating example methods formonitoring and reporting status of dependencies of a target applicationaccording to one or more aspects of the disclosure;

FIG. 7 depicts another example operating environment used to discussillustrative aspects of systems and methods for building a dependencytree;

FIG. 8 depicts a flowchart illustrating an example method for buildingand using a dependency tree;

FIGS. 9A-9E depict illustrative stages of building a dependency tree foran example operating environment;

FIG. 10 depicts another example where a problem in the operatingenvironment is causing the target application to behave in an unhealthymanner, according to one or more aspects of the disclosure;

FIG. 11 depicts a flowcharts illustrating an example method forrecommending corrective action;

FIG. 12 depicts an example architecture for using machine learningprocesses in conjunction with a monitoring application, according to oneor more aspects of the disclosure;

FIGS. 13 and 14 depict flowcharts illustrating example methods forapplying intelligent services using the monitoring application,according to one or more aspects of the disclosure;

FIGS. 15 and 16 depict an example operating environment and method forproviding a baseline recommendation using intelligent services,according to one or more aspects of the disclosure;

FIG. 17 depicts an example architecture for testing applications basedon modifying API calls; and

FIGS. 18 and 19 depict flowcharts illustrating example methods fortesting applications based on modifying API calls.

DETAILED DESCRIPTION

In the following description of the various embodiments, reference ismade to the accompanying drawings, which form a part hereof, and inwhich is shown by way of illustration various embodiments in whichaspects of the disclosure may be practiced. It is to be understood thatother embodiments may be utilized and structural and functionalmodifications may be made without departing from the scope of thepresent disclosure. Aspects of the disclosure are capable of otherembodiments and of being practiced or being carried out in various ways.Also, it is to be understood that the phraseology and terminology usedherein are for the purpose of description and should not be regarded aslimiting. Rather, the phrases and terms used herein are to be giventheir broadest interpretation and meaning. The use of “including” and“comprising” and variations thereof is meant to encompass the itemslisted thereafter and equivalents thereof as well as additional itemsand equivalents thereof.

By way of introduction, aspects described herein may relate to amonitoring application that integrates alerting, monitoring, and customqueries with mobile and other toolsets to allow a user the flexibilityto monitor software systems at the level of their API dependencies,regardless of complexity. A monitored application (which may include asoftware application, an API, a platform, and other services) may bestructured to rely on multiple other dependencies. The monitoredapplication may request, retrieve, and modify data provided by otherservices, such as through an API provided by another application.Performance problems at these dependencies may result in the monitoredapplication entering an unhealthy state, for example leading to themonitored application being unable to retrieve necessary data or timingout on user requests. The methods and techniques described herein mayfacilitate improved monitoring of system health based on applicationdependencies, and may allow for reduced incident recovery time andincreased system resiliency.

Aspects discussed herein may provide methods and techniques formonitoring operating statuses of an application and its dependencies. Amonitoring application may be configured to collect and report theoperating status of the monitored application and each of thedependencies of the application. Through use of existing monitoringinterfaces provided by a monitoring interface application, themonitoring application can collect operating status without requiringmodification of the underlying monitored application or dependencies.Aspects described herein may allow the monitoring application todetermine a problem service that is a root cause of a system outage orother unhealthy state of the monitored application.

Also discussed herein are dependency analyzer and discovery crawlermethods and techniques that may be used to automatically configure andupdate the monitoring application. Further aspects discuss use ofmachine learning techniques to determine patterns of performance basedon system state information associated with performance events.Similarly, a machine learning model may provide health reports relativeto a baseline status of the monitored application. And other aspectsdescribed herein may provide methods and techniques for testing aresponse of the monitored application through modifications to APIcalls. Such tests may be used to train the machine learning model,according to some aspects.

Before discussing these concepts in greater detail, however, severalexamples of a computing device that may be used in implementing and/orotherwise providing various aspects of the disclosure will first bediscussed with respect to FIG. 1.

FIG. 1 illustrates one example of a computing device 101 that may beused to implement one or more illustrative aspects discussed herein. Forexample, computing device 101 may, in some embodiments, implement one ormore aspects of the disclosure by reading and/or executing instructionsand performing one or more actions based on the instructions. In someembodiments, computing device 101 may represent, be incorporated in,and/or include various devices such as a desktop computer, a computerserver, a mobile device (e.g., a laptop computer, a tablet computer, asmart phone, any other types of mobile computing devices, and the like),and/or any other type of data processing device.

Computing device 101 may, in some embodiments, operate in a standaloneenvironment. In others, computing device 101 may operate in a networkedenvironment. As shown in FIG. 1, various network nodes 101, 105, 107,and 109 may be interconnected via a network 103, such as the Internet.Other networks may also or alternatively be used, including privateintranets, corporate networks, LANs, wireless networks, personalnetworks (PAN), and the like. Network 103 is for illustration purposesand may be replaced with fewer or additional computer networks. A localarea network (LAN) may have one or more of any known LAN topology andmay use one or more of a variety of different protocols, such asEthernet. Devices 101, 105, 107, 109 and other devices (not shown) maybe connected to one or more of the networks via twisted pair wires,coaxial cable, fiber optics, radio waves or other communication media.

As seen in FIG. 1, computing device 101 may include a processor 111, RAM113, ROM 115, network interface 117, input/output interfaces 119 (e.g.,keyboard, mouse, display, printer, etc.), and memory 121. Processor 111may include one or more computer processing units (CPUs), graphicalprocessing units (GPUs), and/or other processing units such as aprocessor adapted to perform computations associated with machinelearning. I/O 119 may include a variety of interface units and drivesfor reading, writing, displaying, and/or printing data or files. I/O 119may be coupled with a display such as display 120. Memory 121 may storesoftware for configuring computing device 101 into a special purposecomputing device in order to perform one or more of the variousfunctions discussed herein. Memory 121 may store operating systemsoftware 123 for controlling overall operation of computing device 101,monitoring application 125 for instructing computing device 101 toperform aspects discussed herein, machine learning software 127, smartdatabase 129, and other applications 131. Machine learning software 127may be incorporated in and may be a part of monitoring application 125.In embodiments, computing device 101 may include two or more of anyand/or all of these components (e.g., two or more processors, two ormore memories, etc.) and/or other components and/or subsystems notillustrated here.

Devices 105, 107, 109 may have similar or different architecture asdescribed with respect to computing device 101. Those of skill in theart will appreciate that the functionality of computing device 101 (ordevice 105, 107, 109) as described herein may be spread across multipledata processing devices, for example, to distribute processing loadacross multiple computers, to segregate transactions based on geographiclocation, user access level, quality of service (QoS), etc. For example,devices 101, 105, 107, 109, and others may operate in concert to provideparallel computing features in support of the operation of control logic125 and/or software 127.

One or more aspects discussed herein may be embodied in computer-usableor readable data and/or computer-executable instructions, such as in oneor more program modules, executed by one or more computers or otherdevices as described herein. Generally, program modules includeroutines, programs, objects, components, data structures, etc. thatperform particular tasks or implement particular abstract data typeswhen executed by a processor in a computer or other device. The modulesmay be written in a source code programming language that issubsequently compiled for execution, or may be written in a scriptinglanguage such as (but not limited to) HTML or XML. The computerexecutable instructions may be stored on a computer readable medium suchas a hard disk, optical disk, removable storage media, solid statememory, RAM, etc. As will be appreciated by one of skill in the art, thefunctionality of the program modules may be combined or distributed asdesired in various embodiments. In addition, the functionality may beembodied in whole or in part in firmware or hardware equivalents such asintegrated circuits, field programmable gate arrays (FPGA), and thelike. Particular data structures may be used to more effectivelyimplement one or more aspects discussed herein, and such data structuresare contemplated within the scope of computer executable instructionsand computer-usable data described herein. Various aspects discussedherein may be embodied as a method, a computing device, a dataprocessing system, or a computer program product.

Having discussed several examples of computing devices which may be usedto implement some aspects as discussed further below, discussion willnow turn to methods and techniques for monitoring application health anddependencies in a computing system.

Application Dependency Monitor

According to some aspects, a monitoring application may be configured tocollect and report the operating status of a monitored application andeach of the dependencies of the application. Through use of existingmonitoring interfaces provided by a monitoring interface application,the monitoring application may collect operating status withoutrequiring modification of the underlying monitored application ordependencies. Aspects described herein may allow the monitoringapplication to determine a problem service that is a root cause of asystem outage or other unhealthy state of the monitored application.

FIG. 2 depicts an example operating environment 200 used to discussvarious aspects of the monitoring application and related featuresdescribed further herein. Application 201 (sometimes referred to as“monitored application” or “target application” herein) may be anapplication in a complex system that has multiple dependencies that itrequires to process user requests and transactions. Although referred toas an “application,” application 201 may be any suitable softwareapplication, platform, API, or other service that the user desires tomonitor using the monitoring application.

In the example environment illustrated in FIG. 2, application 201 maysupport requests from upstream clients 210, including web client 211,mobile client 213, and/or desktop client 215. For example, application201 may be an enterprise account frontend configured to accept requestsfrom upstream clients 210 regarding transactions on the account.Application 201 is illustrated as having three dependencies: service221, service 223, and service 225. For example, service 221 mightprovide account authentications, service 223 might provide user addressinformation, and service 225 might provide balance and transactioninformation. Each may be referred to as an immediate, or direct,dependency of application 201. These dependencies may support otherservices/applications, such as how service 227 is depicted as relying onservice 221. Each service relied on by application 201 may have its ownfurther dependencies, which may be referred to as sub-dependencies ofapplication 201. For example, service 225 may rely on data from service231 (e.g., an account balance) and service 233 (e.g., transactionsagainst the account). Service 233 is illustrated as depending further onservice 241 (e.g., a messaging service to a transaction processor) whichitself depends on service 251 (e.g., a third party transactionprocessor).

FIG. 3A depicts an example where a problem in operating environment 300(which may correspond to operating environment 200 of FIG. 2) is causingthe target application to behave in an unhealthy manner Upstream clients210 may be reporting errors due to requests to application 201. Toupstream clients 210, applications 201 appears to be the source oferrors. However, the unhealthy state of application 201 may be due tofailures at one or more dependencies. A problem 305 at a sub-dependencyof application 201 (e.g., at service 241) may cascade downstream andimpact a line of dependencies leading back to application 201 (e.g.,service 233, service 225). Though their ability to provide good resultsmay be impacted, application 201, service 225, and service 233 may beotherwise healthy but for the problem at service 241.

As illustrated in FIG. 3B, according to aspects described herein, themonitoring application may be configured to monitor operating status ofapplication 201 and each of its dependencies and sub-dependencies(collectively, dependencies). In environment 350, the monitoringapplication may determine the operating status of each service in thesystem (including application 201). Operating status of a given servicemay be determined using a monitoring interface associated with thatservice. Monitoring interfaces may be provided by a monitoring interfaceapplication/framework, such as Splunk or Elastic, and may provide one ormore metrics regarding the operating status of the correspondingservice. The monitoring application may use the monitoring interfaces todetermine if the service has a healthy or unhealthy operating status.For example, the monitoring application may use a set of unhealthyoperating status thresholds associated with the metrics to recognizewhen the service is in an unhealthy, problematic operating state. Themonitoring interfaces may also allow the monitoring application todiscern a source or nature of service disruption, and the operatingstatus of a service may be that the service is otherwise healthy but fora problem dependency.

In the example of FIG. 3B, problems detected at upstream clients 210 maylead to a system administrator for application 201 seeking to discover asource of the problems. Application 201 may have a generally healthyoperating status but for data needed from dependencies, and thus may bedetermined to have an unhealthy operating status. The monitoringapplication may check the operating status of each immediate dependency,and may see that service 221 and service 223 are reporting no problems(e.g., have a healthy operating status). The monitoring application maysee that service 225 is reporting problems, even if service 225 isfunctional. The monitoring application may traverse service 225'sdependencies, and see that service 231 is not reporting problems whileservice 233 is reporting problems. The monitoring application maycontinue the chain to inspect service 241 as a dependency of service233, continuing to hunt for the source of the problem. Service 241 maybe reporting problems, but a check of service 251 (a dependency ofservice 241) may reveal that service 251 is ok. Thus, because service251 has a healthy operating state, the monitoring application candetermine that service 241 is the root source of problem 305. Havingdetermined a root source, the monitoring application can update thestatus of application 201, service 225, and service 233 to indicate thatthey are healthy but for their dependency on service 241. Service 241may be output by the monitoring application in a notification as aproblem dependency.

FIG. 4 depicts an example architecture 400 for a monitoring application430 according to one or more aspects of the disclosure. Application 401(also referred to as the monitored application or target application)and services 403 a-n may be set up for monitoring by a monitoringinterface application 410. Services 403 a-n may correspond todependencies (and sub-dependencies) of application 401. Application 401and services 403 a-n may correspond to application 201 and theillustrated services of FIGS. 2, 3A, and 3B.

Monitoring interface application 410 may be configured to monitor one ormore attributes or operating metric of application 401 and service 403a-n. Example monitoring interface applications include Spunk andElastic's ELK framework. Application 401 and services 403 a-n may bedesigned and/or configured to allow monitoring interface application 410access to the attributes and or operating metrics through APIs or othermeans. Monitoring interface application 410 may be used to facilitateapplication and service monitoring, and the monitoring interfaces 420may be made available to other applications that may make use ofattribute and operating metrics associated with application 401 orservice 403 a-n. Monitoring interfaces 420 may comprise one or moremonitoring interfaces 421 associated with application 401, and one ormore monitoring interfaces 423 a-n associated with services 403 a-n.Each monitored service (e.g., application 401 or services 403 a-n) maybe associated with one or more monitoring interfaces that trackdifferent attributes and/or operating metrics associated with therespective service. Monitoring interfaces 420 may be used to createdashboards allowing a user to view the various attributes and operatingmetrics collected by monitoring interface application 410.

Users and other applications may interact with monitoring interfaceapplication 410 using a query protocol associated with monitoringinterface application 410. Monitoring interfaces 420 may be used byusers and other applications via suitable queries structured to instructmonitoring interface application 410 to retrieve desired attributes andoperating metrics associated with a monitored application/service.Although a single monitoring interface application 410 is illustrated inFIG. 4, it should be appreciated that multiple monitoring interfaceapplications may be used without departing from the concepts describedherein. For example, application 401 and service 403 a may be onboardedfor monitoring via a first monitoring interface application, such asSplunk. Service 403 b may be onboarded for monitoring via anothermonitoring interface application, such as the Elastic ELK framework.Monitoring application 430 may utilize monitoring interfaces 420provided by multiple, different monitoring interface applications. Thedifferent monitoring interface applications may utilize different queryprotocols, and monitoring application 430 may be configured with theappropriate queries to retrieve attributes and operational metrics viamonitoring interfaces 420.

Monitoring application 430 may be configured to utilize monitoringinterfaces 420 to monitor the status of application 401 and itsdependencies, services 403 a-n. Monitoring application 430 may usemonitoring interface(s) 421 to assess an operating status of application401. Similarly, monitoring application 430 may use monitoring interfaces423 a-n to assess an operating status of application 401's dependencies.Monitoring application 430 may be configured to respond to commands fromusers 441 and provide reports. One example of a report provided to usersmay be system status window 443, which may comprise a visualization ofapplication 401 and its dependencies in the same manner as FIG. 3B.Monitoring application 430 may also provide results/reports regardingsystem operating status to administrative processes 445, which mayfurther process the operating data and/or automate portions of systemadministrative. As will be discussed further below with respect to FIG.12, monitoring application 430 may also interface with intelligentservices components including smart database 447 and machine learningprocesses 449 to enable use of artificial intelligence and/or machinelearning techniques to generate predictions regarding system operatingstatus and corrective actions.

Monitoring application 430 may support several user interfaces forreceiving user requests and outputting reports. For example, monitoringapplication 430 may provide a graphical user interface configured toaccept commands and display reports. As another example, monitoringapplication 430 may implement a chat bot designed to respond to usertext commands with appropriate statistics. The chat bot may utilizenatural language processing of queries to provide users with a moreapproachable user interface.

Some example commands for controlling the monitoring application chatbot include:

-   -   @mon appl dd—check dependencies    -   @mon appl kpi—check key performance indicators    -   @mon appl stats—check statistics    -   @mon appl tps—check transactions per second    -   @mon appl statements_chart 15m—view statements_chart over last        15 minutes    -   @mon appl transactions_chart 30m—view transactions_chart over        last 30 minutes    -   @mon appl payments_chart 60m—view payments_chart over last 60        minutes

Additionally, monitoring application 430 may support a mobile userinterface, enabling system administrators to monitor and troubleshootsystem operation more flexibly. The mobile user interface, and othergraphical user interfaces, may be configured to support similar commandsto those listed above (and many others).

The monitoring application 430 may generate reports that provideindications of system operating health. For example, reports mayindicate whether application 401 or any of the dependencies 403 a-n areoperating with errors beyond an unhealthy operating status threshold.Monitoring application 430 may provide many different, configurablereports designed to provide users with the right information to diagnoseand troubleshoot problems. Some reports may be configured to providespecific information typically requested by users. Others may resultfrom dynamic determinations of what the most relevant and/or problematicsystem attributes are at a given time, and may present that informationto the user. For example, if a user requests a dependency check for asystem having 20+ dependencies, the system may provide a reduced reportlisting dependencies that are operating at below average performancelevels or are otherwise indicating problems. Monitoring application 430may report any suitable operating metric relevant to performance andhealth of application 401 and/or service 403 a-n. Some example operatingmetrics may include: number of transactions received per second, numberof transactions handled per second, error rate, latency, networkutilization, network speed, memory utilization, processor utilization,other resource utilization, latencies to individual dependencies, errorrates of individual dependencies, error messages of an application orservice, error messages of a dependency, and/or any other suitableoperating metrics.

According to some aspects, monitoring application 430 may be configuredto identify a potential root cause of a performance impacting event.Monitored application 401 may provide information and service in supportof other applications, such as the relationship between monitoredapplication 201 and upstream dependencies 210 in FIG. 2. Upstream usersmay report problems, or problems may be detected based on the operatingstatus of monitored application 401. The operating status of monitoredapplication 401 may be healthy but for performance problems atdownstream dependencies. Monitoring application 430 may utilizemonitoring interfaces to determine an operating status of application401 and its dependencies to determine a root cause and allow systemadministrators to quickly establish that application 401 is not itselfhaving problems, besides its reliance on a downstream dependency that iscausing the issue.

Monitoring application 430 may determine the potential root cause of theproblems by traversing a dependency tree associated with monitoredapplication 401. Monitoring application 430 may monitor the operatingstatus of monitored application 401. Based on determining that monitoredapplication 401 has errors or reduced performance, monitoringapplication 430 may check operating status of each first leveldependency of monitored application 401 (based on, e.g., traversingnodes in a dependency tree). When a first level dependency is identifiedas having errors and/or an unhealthy operating status, monitoringapplication 430 may proceed down a layer to check operating status ofeach dependency (second level dependencies) of the first leveldependency determined to have problems. If monitoring application 430identifies a problem node at that layer, it can continue to advance tofurther layers of the dependency tree. Once monitoring application 430identifies a layer without any problem dependencies, or reaches a finallayer, monitoring application 430 can conclude that a problem dependencyof the prior layer is a potential root cause of application 401'sperformance issues. FIGS. 5 and 6 illustrate example methods throughwhich monitoring application 430 may identify and surface a potentialroot cause (or “problem dependency”) of a performance impacting event.

FIG. 5 depicts a flowchart illustrating an example method 500 todetermine operating statuses of a target application and itsdependencies and generate a corresponding system health report. Method500 may be a computer-implemented method, and may be implemented by oneor more computing device such as computing devices 101, 105, 107, and/or109 of FIG. 1. Method 500 may be performed by a monitoring device thatimplements monitoring application 430, or other suitable device.

At step 505, the monitoring device may determine dependencies of atarget (monitored) application. The monitored application may correspondto a software application, API, and/or other suitable service that theuser desires to monitor. Dependencies may comprise services that themonitored application relies on to provide and/or process information.Example dependencies include APIs, platforms, hardware resources,network resources, third party services, and/or any other service thatapplication depends on to provide and/or process information associatedwith operation of the application. Dependencies of an application may bebased on information previously generated by the system or systemadmins, so the monitoring device may leverage existing documentation todetermine dependencies of the application. According to some aspectsdiscussed further herein, the monitoring device may implement dependencyanalysis features to automatically identify dependencies for theapplication based on one or more sources of dependency information forthe monitored application and its respective dependencies. Thesefeatures are discussed further herein with respect to FIGS. 7-10.

At step 510, the monitoring device may build a dependency tree for thetarget application. Based on the dependencies determined for theapplication, the monitoring device may build a dependency treeindicating the function and/or logical relationship between themonitored application, its immediate dependencies, and furtherdependencies of those immediate dependencies. The dependency tree may belogically represented as a series of nodes, with each node correspondingto the application, an immediate dependency, or a further dependency.The depictions in FIGS. 2, 3A, and 3B may visually represent thestructure of an exemplary dependency tree for application 201. Thedependency tree may facilitate parsing and traversal of the servicesthat the application depends on during a process to identify potentialroot causes of service impacting events and/or otherwise generate healthreports regarding operation of the system and/or the monitoredapplication.

Building the dependency tree for the target application may take intoaccount and avoid redundant and/or circular dependencies. The dependencymapping logic may consider whether a dependency is already present inthe dependency tree, and may remove it from the tree and/or avoid addingthe redundant dependency. This may allow the monitoring application toavoid re-checking a dependency whose operating status has already beenchecked. The monitoring device may also be configured to avoid circulardependencies, detecting that a dependency structure would cause a loopin the dependency tree. The monitoring device may avoid adding therelationship that would complete the loop, avoiding complications ofhaving a loop in the tree graph while still allowing each dependency tobe traversed. Additional aspects are discussed further herein withrespect to FIGS. 7-9.

At step 515, the monitoring device may configure a monitoringapplication, such as monitoring application 430, to monitor the targetapplication, such as application 401. Configuring the monitoringapplication may comprise on-boarding the monitored application byconfiguring the monitoring application to track the operating status ofthe monitored application. As explained further in steps 520-540, themonitoring device may on-board the monitoring application by configuringthe monitoring application to monitor the target application usingmultiple monitoring interfaces provided by a monitoring interfaceapplication, such as Splunk.

At step 520, the monitoring device may determine monitoring interfacescorresponding to the target application. A user who is configuring themonitoring application may identify the monitoring interfaces (e.g.,Splunk queries) that should be used to monitor the operating status ofthe target application. On-boarding for an application (or otherservice/dependency) may comprise capturing a query file associated witha monitoring interface application and importing those queries into themonitoring application. The monitoring interfaces may have beenconfigured and/or created by the administrator, or they may have beencreated by other users that are monitoring operation of the system,target application, and/or dependencies. Additionally, and/oralternatively, the system may automatically determine monitoringinterfaces to use for the target application and/or dependencies basedon monitoring interfaces provided by the monitoring interfaceapplication

Similarly, at step 530 the monitoring device may determine monitoringinterfaces corresponding to dependencies of the target application. Aswith determining monitoring interfaces for the target application, thesystem may receive user selection of monitoring interfaces to use foreach dependency and/or automatically determine appropriate monitoringinterfaces. Particularly, if a given dependency has been previouslyon-boarded to the monitoring application, the system may leverage thatprior configuration to determine which monitoring interfaces to use tomonitor operating status of the given dependency.

As mentioned above, determining monitoring interfaces corresponding tothe target application and/or dependencies in steps 520 and/or 530 maycomprise automatically determining suitable monitoring interfaces forthe application/dependencies. A discovery crawler may automaticallyidentify relevant monitoring interfaces provided by the monitoringinterface application based on the mapped dependencies. Updates to thedependencies of the application, or to the available monitoringinterfaces, may be automatically detected and used to keep themonitoring application up to date. As one example, the system mayautomatically determine the monitoring interfaces to use based on anexisting monitoring dashboard. As another example, the system maydetermine the monitoring interfaces to use based on a priorconfiguration of the monitoring application to monitor the targetapplication and/or dependency as part of a configuration of themonitoring application to monitor another application that depends onaspects of the target application. This may allow administrators toleverage prior onboardings of other applications to quickly on-board themonitoring application for a new target application and itsdependencies.

A discovery crawler may parse the monitoring interface applications usedin a network to monitor target applications and services. Dashboardscreated for application and service monitoring may be leveraged toautomatically determine the monitoring interfaces to use in themonitoring application. One advantage of this automatic process is thatthe monitoring application may be kept up to date as new monitoringinterfaces (e.g., revised/new Splunk queries) are perfected and deployedfor system monitoring by administrators. And this may allow the systemto automatically update the monitoring application to monitor newdependencies that are identified, allowing a more complete picture ofthe health and status of the target application and system.

At steps 525 and 535, the monitoring device may determine thresholdsassociated with the operating status of the target application and/orits dependencies. The thresholds may comprise unhealthy operating statusthresholds, and may include values associated with one or more metricsthat indicate that an application or other service has an unhealthyoperating status. Unhealthy operating status thresholds may be set bysystem administrators as part of on-boarding the monitoring applicationfor the target application and dependencies. Additionally, and/oralternatively, the discovery crawler features discussed above may allowthe monitoring device to automatically determine thresholds associatedwith the information provided by a given monitoring interface. Forexample, a user may have configured a Splunk query for a first APIdesigned to alert when a response latency of the first API rises above acertain value, e.g., 100 ms. The monitoring device may identify that theprior user configured the monitoring query to use a response latencythreshold, and may determine that the monitoring application should usea similar threshold to determine when the application/dependency entersan unhealthy state of performance. However, different applications andadministrators may have different requirements and/or definitions ofwhat constitutes an unhealthy operating status. The monitoring devicemay determine that a first threshold value is being used by an existingmonitoring interface for a service dependency, but the administrator maywish to use a second threshold value based on the same metric to alerton decreased performance. Configurable thresholds may allow users tobetter identify when the target application and/or dependencies have anunhealthy operating status, and may allow users to proactively detectconditions that may lead to the application and/or dependency having afuture unhealthy operating status.

At step 540, the monitoring device may configure the monitoringapplication to use the determined monitoring interfaces to track theoperating status of the target application and its dependencies. Thismay comprise configuring the monitoring application to retrieve one ormore performance metrics provided by the monitoring interfaces relevantto the target application and/or dependency service. By configuring themonitoring application to utilize the monitoring interfaces,administrators can avoid the need to develop new monitoring APIs just toallow the monitoring application to access the data it needs to generatehealth reports. Leveraging existing monitoring interfaces may avoidpotentially disruptive changes to the underlying target applicationand/or dependency services. The monitoring application can pulloperating metrics from the monitoring interfaces rather than hookinginto processes of the target application and/or dependency services. Themonitoring application may make queries against the monitoring interfaceapplication rather than making queries against the monitored serviceitself.

Automatic updating of the available monitoring interfaces to monitoringoperating statuses of the target application and dependencies may beprovided at step 545 of method 500, where the system may detect anupdate to the available monitoring interfaces and proceed tore-configure the monitoring application.

At step 550, the configured monitoring application may determineoperating statuses of the target application and its dependencies usingthe monitoring interfaces. At step 555, the monitoring application maygenerate a health report for the target application and its dependenciesbased on the determined operating statuses. Health reports regarding theoperating status of the target application and the dependencies maysupport proactive, rather than just reactive, monitoring of the targetapplication. An administrator, other user, administrative process,and/or intelligent service may act on the health report to take stepsthat may prevent and/or reduce the likelihood of the target applicationentering an unhealthy operating state.

Continuous monitoring may enable the detection of error trends. Alertsand notifications may quickly surface problems for the system and/oradministrator to address. While some timeouts or errors are expectedeven during typical operation, the monitoring application may facilitatethe detection of unhealthy operating statuses that may be serviceimpacting. As discussed further herein, with respect to FIG. 6, themonitoring application may be configured to parse the dependency tree toidentify a potential root cause of an unhealthy operating status andgenerate a notification of the same.

FIG. 6 depicts a flowchart illustrating a method 600 of determining aproblem service when a monitored application has an unhealthy operatingstatus, based on analyzing the monitored application and itsdependencies. Method 600 may be performed by any suitable computingdevice, such as a monitoring device, as was described above with respectto method 500.

At step 605, the monitoring device may configure a monitoringapplication to monitor a target application and its dependencies usingmultiple monitoring interfaces. Step 605 of method 600 may correspond tostep 515 of FIG. 5, along with its sub-steps 520, 525, 530, 535, and540.

At step 610, the monitoring device may monitor the operating status ofthe monitored target application and its dependencies. The monitoringdevice may determine an operating status of the target application anddependencies based on operating metrics retrieved via the monitoringinterfaces. Steps 610 and subsequent steps may be performed using amonitoring application as discussed above.

At steps 615 and 620, the monitoring device may determine to generate ahealth report for the monitored application. In step 615, the monitoringdevice may receive a user request to generate a report. The request mayindicate that the user wants to see a dependency health report toidentify a root cause of a service impacting event affecting the targetapplication. In step 620, the monitoring device may detect that theapplication has an unhealthy status and determine to generate a reportand/or notification identifying a potential root cause of the unhealthystate of the application. The monitoring device may determine that themonitored application is not itself generating errors, but that theoperating status of the monitored application indicates that adownstream dependency of the monitored application may be causing themonitored application to have the unhealthy operating status.

At step 625, the monitoring device may traverse a dependency treeassociated with the target monitored application to identify a potentialroot cause of the performance problems. By walking through thedependency tree, the monitoring device may determine which dependencieshave unhealthy operating statuses and identify a potential root cause ofthe unhealthy statuses. The tree traversal process may comprise walkingthrough nodes of the dependency tree that each correspond to themonitored application and/or the services the monitored applicationdepends on.

At step 630, the monitoring device may begin the tree traversal processat a first level of the dependency tree. The first level of thedependency tree may comprise immediate dependencies of the targetapplication. The immediate dependencies may be APIs and/or otherservices that are directly called by the monitored application duringoperation.

At step 635, the monitoring device may determine operating statuses ofeach service/dependency included in the current level of the dependencytree (beginning after step 630 at the first level of the dependencytree). The operating status of each service may be determined by themonitoring application based on the monitoring interfaces as configuredin step 605. For each service, the monitoring application may determinewhether the service has an unhealthy operating status. As describedabove, the monitoring application may be configured with one or moreoperating status thresholds which the monitoring application can compareto operational metrics retrieved via the monitoring interfaces. If ametric exceeds or otherwise meets the criteria for having an unhealthyoperating status, the monitoring application may determine that theservice has an unhealthy operating status. If operational metricsassociated with the service fall below or otherwise do not meet thecriteria for having an unhealthy operating status, the monitoringapplication may determine that the service has a healthy operatingstatus in the absence of other factors that indicate that the servicehas an unhealthy status. In addition to, and/or as an alternative to,comparing metrics to thresholds, the monitoring application may inspecterror messages associated with the service to determine whether a givenservice has an unhealthy operating status.

At step 640, the monitoring device may determine whether a dependency inthe current level of the dependency tree has been determined to have anunhealthy operating status. This determination may enable the monitoringapplication to identify the potential root cause of the systemperformance problems. The tree traversal process may proceed based onwhether a dependency in the current level has an unhealthy status, andbased on whether all dependencies in the current level are determined tohave a healthy status.

At step 645, if all dependencies in the current level of the dependencytree are found to have a healthy operating status, then the monitoringapplication can determine that a parent dependency of the prior level isthe problem service likely causing the impact to the operating status ofthe monitored application. If the current layer is the first layer, thenthe monitoring application can determine that the monitored applicationitself is the problem service.

If, instead, the monitoring application identifies a dependency of thecurrent level that has an unhealthy operating status, at step 650 themonitoring application may determine whether it has reached a last levelof the dependency tree. If the current level is the last level of thetree, the monitoring application may determine at step 655 that theunhealthy dependency of the current level is the problem service.

If the current level is not the last level, at step 660 the monitoringapplication may advance to a next level of the tree. The next level maybe limited to the further dependencies of the particular dependency thatwas determined to have an unhealthy operating status in step 640. Thenthe monitoring application may loop back to step 635 and determine theoperating status of each further dependency in the next level.

As an example, consider the exemplary environment illustrated in FIG. 3Aand discussed above. At step 620, the monitoring application maydetermine that application 201 has an unhealthy operating status. Theroot cause of the unhealthy operating status of application 201 may beproblem 305 at service 241, a sub-dependency of application 201 threelevels deep. At step 630, the tree traversal process may begin at alayer comprising services 221, 223, and 225—the immediate dependenciesof application 201. At step 635, the monitoring application maydetermine the operating status of each of service 221, service 223, andservice 225. Because the problem 305 does not impact services 221 and223, the monitoring application may determine that they have a healthyoperating status. The monitoring application may determine that service225 has an unhealthy operating status, since problem 305 at service 241is impacting operation downstream. At step 640 the monitoringapplication determines that it found a dependency having an unhealthyoperating status (service 225), which is not the last level (step 650).At step 660 the monitoring application may advance to the next level(service 231 and service 233) of the dependency tree, assessing thestatus of nodes that depend from service 225. Returning to step 635, themonitoring application may determine that service 231 has a healthystatus but that service 233 has an unhealthy status. Through steps 640,650, and 660, the monitoring application may advance to the next levelof the dependency tree beyond service 233, which comprises only service241 in the example. Returning again to step 635, the monitoringapplication may determine that service 241 has an unhealthy operatingstatus, and advance to the final layer of the dependency tree thatcorresponds to dependents of service 241, a layer comprising service251. The monitoring application may determine that service 251 has ahealthy operating status, since service 305 is upstream from problem 305and not impacted. At step 640, the monitoring application may determinethat no dependencies at the current level have an unhealthy operatingstatus and thus may conclude at step 645 that service 241, the parentdependency of the current level, is the problem service and likely rootcause of the unhealthy operating statuses in the system.

At step 665, having determined the problem service as a likely rootcause of the unhealthy operating statuses in the system, the monitoringdevice may generate output identifying the problem service. For example,the monitoring device may generate a health report that flags theproblem service and associated operating metrics that relate to thedetermination that the problem service has an unhealthy status. Errormessages and other metrics related to the problem service may also beprovided to assist in troubleshooting why the problem service has anunhealthy operating status and determining suitable corrective actions.

Thus, according to some embodiments a computer-implemented method formonitoring operating status of a first application and its dependenciesmay be provided. The method may be performed by a monitoring device orother computer system. The computer system may determine a plurality ofservices associated with the first application. The plurality ofservices may be organized as a dependency tree, and may include one ormore first services corresponding to one or more immediate dependenciesassociated with the first application and one or more second servicescorresponding to one or more sub-dependencies associated with the firstapplication. Each of the second services may correspond to a respectivedependency of a corresponding immediate dependency or sub-dependencyassociated with the first application. The computer system may configurea monitoring application to monitor the plurality of services using aplurality of monitoring interfaces.

The computer system may automatically identify, using the monitoringapplication, a problem service of the plurality of services through atree traversal process. The tree traversal process may begin at a firstlayer of the dependency tree corresponding to the one or more immediatedependencies. The tree traversal process may include determining, basedon the plurality of monitoring interfaces, an operating status of eachservice included in a current layer of the dependency tree. Based onwhether a first service of the current layer is identified as having anunhealthy status, and based on whether each service of the current layeris identified as having a healthy status, the traversal process mayproceed. When the first service is identified as having an unhealthystatus, the computing system may continue to traverse the dependencytree to identify the problem service by advancing to a next layer of thedependency tree. The next layer of the dependency tree may compriseservices corresponding to a plurality of dependencies of the firstservice. When each service of the current layer is identified as havinga healthy status, the computer system may identify a parent dependencyservice, of an immediately prior layer of the dependency tree, that hasan unhealthy status as the problem service. The computing system maygenerate, by the monitoring application, a notification indicating thatthe parent service is the problem service.

In some implementations, at least one service of the plurality ofservices may correspond to an Application Programming Interface (API)associated with a resource utilized by the first application. At leastone service of the plurality of services may correspond to a networkutilized by the first application to communicate with anotherdependency. The first application may comprise an ApplicationProgramming Interface (API).

In some implementations, determining the operating status of a givenservice may comprise determining one or more of: whether a resourceassociated with the corresponding dependency is accessible; a responselatency associated with requests to the corresponding dependency; anerror rate associated with requests to the corresponding dependency;and/or an error state or error message provided by the correspondingdependency. A given service may be determined to have an unhealthystatus based on whether one or more metrics associated with thecorresponding dependency satisfy one or more operating statusthresholds. Configuring the monitoring application to monitor theplurality of services may include configuring the monitoring applicationto associate the one or more operating status thresholds with thecorresponding dependencies. In some implementations, determining theoperating status of a given service may be based on a predetermined timeperiod prior to a current time.

The plurality of monitoring interfaces may comprise a first monitoringinterface configured to enable monitoring of a second service utilizedby the first application. The first monitoring interface may begenerated by a first monitoring interface application and be configuredto determine at least one metric associated with the service.Configuring the monitoring application to monitor the plurality ofservices using the plurality of monitoring interfaces may compriseconfiguring the monitoring application to utilize the first monitoringinterface through at least one monitoring query associated with thefirst monitoring interface application. The plurality of monitoringinterfaces may further comprise a second monitoring interface configuredto enable monitoring of a third service utilized by the firstapplication. The second monitoring interface may be generated by asecond monitoring interface application and may be configured todetermine at least one metric associated with the third service. Thesecond monitoring interface application may be different from the firstmonitoring interface application and utilize a different query protocol.

In some implementations, determining the operating status of eachservice included in the current layer of the dependency tree maycomprise determining whether the operating status of a given service, ofthe services in the current layer, has previously been determined by themonitoring application during the tree traversal process. Based ondetermining that the operating status has already been determined, thecomputing system may use the previously determined operating status forthe given service.

In some implementations, the computing system may generate, by themonitoring application, a health report for the first application bytraversing the dependency tree to determine an operating status of eachservice of the plurality of services. The monitoring application may beconfigured to periodically generate the health report for the firstapplication. Determining, as part of the tree traversal process, theoperating status of each service included in a current layer of thedependency tree may be based on operating statuses determined duringgenerating the health report.

According to some embodiments another computer-implemented method formonitoring operating status of a first application and its dependenciesmay be provided. The method may be performed by a monitoring deviceand/or a computer system. The computer system may determine a pluralityof services associated with a first application. The plurality ofservices may comprise one or more first level services corresponding toone or more first level dependencies of the first application; one ormore second level services corresponding to one or more second leveldependencies of the first application, wherein each second leveldependency is a dependency of a corresponding first level dependency;and one or more third level services corresponding to one or more thirdlevel dependencies of the first application, wherein each third leveldependency is a dependency of a corresponding second level dependency.The first level dependencies may correspond to immediate dependencies ofthe first application. The first level dependencies may correspond tosub-dependencies associated with the first application. Eachsub-dependency of the first level dependencies may be a dependency of arespective dependency of a prior level associated with the firstapplication. The computer system may configure a monitoring applicationto monitor the plurality of services using a plurality of monitoringinterfaces.

The computing system may generate, based on the plurality of monitoringinterfaces, a health report for the first application. The computingsystem may generate the health report by traversing the dependencies.The system may determine an operating status of the first application.The system may determine, based on the plurality of monitoringinterfaces, an operating status of each of the first level dependenciesand identify a first service of the first level services as having anunhealthy operating status. The system may determine, based on theplurality of monitoring interfaces, an operating status of each of thesecond level dependencies that are dependencies of a first leveldependency corresponding to the first service, and identify a secondservice, of the second level services that correspond to dependencies ofthe first level dependency, as having an unhealthy operating status. Thesystem may determine, based on the plurality of monitoring interfaces,an operating status of each of the third level dependencies that aredependencies of a second level dependency corresponding to the secondservice, and determine that each third level service has a healthyoperating status. Based on determining that each third level service hasa healthy operating status, the system may identify the second servicehaving the unhealthy operating status as a problem service. And thesystem may generate a notification indicating that the second service isa problem service based on the health report.

According to some embodiments, another method may be provided formonitoring operating status of a first application and its dependenciesmay be provided. The method may be performed by a monitoring deviceand/or a computer system. The computing system may determine a pluralityof dependency nodes associated with a first application and organized asa dependency tree. The plurality of dependency nodes may comprise one ormore first nodes corresponding to one or more immediate dependenciesassociated with the first application; and one or more second nodescorresponding to one or more sub-dependencies associated with the firstapplication, wherein each of the second nodes corresponds to arespective dependency of a corresponding immediate dependency orsub-dependency associated with the first application. At least onedependency node of the plurality of dependency nodes may correspond toan Application Programming Interface (API) associated with a resourceutilized by the first application. The computing system may identify aplurality of monitoring interfaces associated with a monitoringinterface application and configured to enable monitoring of a pluralityof resources utilized by the first application. Each monitoringinterface of the plurality of monitoring interfaces may be configured todetermine at least one metric associated with a respective resource ofthe plurality of resources. The computing system may configure themonitoring application to utilize the plurality of monitoring interfacesto monitor the plurality of dependency nodes through at least onemonitoring query associated with the monitoring interface application.

The computing system may automatically identify, by the monitoringapplication, a problem node of the plurality of dependency nodes througha tree traversal process. The tree traversal process may begin at afirst layer of the dependency tree corresponding to the one or moreimmediate dependencies. The computing system may traverse the tree byfirst determining, based on the plurality of monitoring interfaces, anoperating status of each dependency node included in a current layer ofthe dependency tree. Based on whether a given dependency node of thecurrent layer is identified as having an unhealthy status, and based onwhether each dependency node of the current layer is identified ashaving a healthy status, the tree traversal process may proceed. A givendependency node may be determined to have an unhealthy status based onwhether one or more metrics associated with the corresponding dependencysatisfy one or more operating status thresholds. When the givendependency node is identified as having an unhealthy status, thecomputing system may continue to traverse the dependency tree toidentify the problem node by advancing to a next layer of the dependencytree, wherein the next layer of the dependency tree comprises nodescorresponding to a plurality of sub-dependencies of the dependencycorresponding to the given dependency node. When each dependency node ofthe current layer is identified as having a healthy status, thecomputing system may identify a parent dependency node, of animmediately prior layer of the dependency tree, that has an unhealthystatus as the problem node. The computing system may generate, by themonitoring application, a notification indicating that the parentdependency node is the problem node.

According to some embodiments, a computer-implemented method forconfiguring a monitoring application to monitor a plurality ofdependencies of a monitored application using a set of monitoringinterfaces is provided. The method may be performed by a monitoringdevice and/or other suitable computing devices. The monitoring devicemay determine a plurality of dependencies associated with a firstapplication. The plurality of dependencies may comprise one or moreimmediate dependencies associated with the first application and one ormore sub-dependencies associated with the first application. Eachsub-dependency of the one or more sub-dependencies may correspond to adependency of a respective immediate dependency or sub-dependencyassociated with the first application. The monitoring device mayconfigure a monitoring application to monitor the plurality ofdependencies using a plurality of monitoring interfaces. The pluralityof dependencies may comprise a first dependency. For example, the firstdependency may be an Application Programming Interface (API) associatedwith a resource utilized by the first application. As another example,the first dependency may be a platform utilized by the firstapplication. And as a third example, the first dependency may be anetwork utilized by the first application to communicate with anotherdependency. Configuring the monitoring application to monitor the firstdependency of the plurality of dependencies may include querying amonitoring interface application to determine a set of monitoringinterfaces associated with the first dependency. Configuring themonitoring application may further include configuring the monitoringapplication to monitor the first dependency using one or more firstmonitoring interfaces of the set of monitoring interfaces. Themonitoring device may monitor, by the monitoring application, anoperating status of the first dependency. The monitoring device maydetermine the operating status of the first dependency based ondetermining one or more of: whether a resource associated with the givendependency is accessible; a response latency associated with requests tothe given dependency; an error rate associated with requests to thegiven dependency; or an error state or error message provided by thegiven dependency. Determining the operating status of a given dependencyis based on a predetermined time period prior to a current time. And themonitoring device may generate an alert, based on detecting that theoperating status of the first dependency satisfies at least oneunhealthy operating status threshold, that the first dependency has anunhealthy operating status.

In some implementations, configuring the monitoring application tomonitor the first dependency further may include querying the monitoringinterface application to determine the at least one unhealthy operatingstatus threshold. The monitoring device may prompt a user to provide theat least one unhealthy operating status threshold. The monitoring devicemay generate a recommended value for the at least one unhealthyoperating status threshold based on a machine learning model trained toidentify correlations between the first dependency and the firstapplication having an unhealthy operating status. The monitoringapplication may be configured to monitor the first dependency based onthe determine unhealthy operating status thresholds.

In some implementations, the monitoring application may be configured toutilize the one or more first monitoring interfaces through at least onemonitoring query associated with the monitoring interface application.The method may further comprise re-configuring the monitoringapplication to monitor the first dependency at a second time, afteroriginally configuring the monitoring application to monitor the firstdependency, by. The monitoring application may be reconfigured byquerying the monitoring interface application to determine an updatedset of monitoring interfaces associated with the first dependency at thesecond time; determining that at least one new monitoring interface ispresent in the updated set of monitoring interfaces; and configuring themonitoring application to monitor the first dependency using the atleast one new monitoring interface. Similarly, the monitoringapplication may be reconfigured based on detected updates to themonitoring interface and/or removal of a monitoring interface.

Dependency Analyzer

According to some aspects discussed further herein, the monitoringdevice may implement dependency analysis features to automaticallyidentify dependencies for a target application based on one or moresources of dependency information for the target application and itsrespective dependencies. Implementing a dependency analyzer may allowfor automatic on-boarding and/or configuration of the monitoringapplication for a monitored application. Data lineage documentation, APIcall logs, and other resources may be parsed to determine dependenciesof the monitored application. The system may map out the dependencies ofthe monitored application and build a logical dependency tree for use inidentifying the root cause of performance issues. Updates to thedependencies of the application may be automatically detected and usedto keep the monitoring application up to date. In particular, thesefeatures may be used to assist in determining dependencies of a targetapplication for use in configuring a monitoring application, asdescribed above with respect to FIG. 5.

FIG. 7 depicts an example operating environment 700 used to discussillustrative aspects of systems and methods for building a dependencytree. Example environment 700 may be similar to environment 200 of FIG.2, and the elements illustrated therein may have similar features.Application 701 may be an application in a complex system that hasmultiple dependencies that it requires to process user requests andtransactions. Although referred to as an “application,” application 701may be any suitable software application, platform, API, or otherservice that the user desires to monitor using the monitoringapplication.

In the example environment illustrated in FIG. 7, application 701 isillustrated as having four dependencies: Service A 721, Service B 723,Service C 725, and Service D 727. Application 701 may rely oninformation and/or actions provided by services A-D to processtransactions, for example. Each may be referred to as an immediate, ordirect, dependency of application 701. Each service relied on byapplication 701 may have its own further dependencies, which may bereferred to as sub-dependencies of application 701. For example, in theillustrated example, Service A further depends on Service B and ServiceC. Service B further depends on Service 1 731, Service 2 732, andService 3 733. Service C may not have any dependencies of its own.Service D depends on Service 1, Service 4 724, and Service 5 735. Forexample, application 701 may rely on Service B to provide accountinformation for the user. Service B may rely on Service 1 fortransactions associated with the account, Service 2 for balanceinformation, and Service 3 for user address information. And application701 may rely on Service D for determining a rewards status of the user.Service D may rely on Service 1 (which Service B also relies on) toobtains the transactions associated with the account.

Each service in environment 700 (and similarly in environment 200) maycorrespond to a particular data resource (more particularly, a dataelement). The data resource may be data that the service is responsiblefor handling, or may be data handled by a software application orplatform associated with a microservice like an API. The data resourceassociated with a service may be the information that upstreamapplications or other services rely on the service to provide. Forexample, application 701 may rely on Service B to provide accountinformation for the user. A data resource associated with Service B maybe account records in an account database. Multiple data resources maybe associated with a given service, and the data resources may betreated at varying levels of generality. For example, another dataresource associated with Service B may be the account database. In someimplementations, the data resources associated with a service mayinclude a set of data resources that, if absent, may each cause theservice to have an unhealthy operating status. Although discussed withrespect to data resources, some embodiments may apply the describedtechniques with respect to specific data element values, pieces ofinformation needed by the application and services to performprocessing.

In an enterprise system, many different services may exist. Some complexsystems may have hundreds of thousands of API microservices thatenterprise applications can leverage to retrieve and operate onenterprise data. Some APIs in an enterprise system may provide access tothe same data resource. For example, Service D as a rewards platform mayrely on Service 4 to provide a rewards tier of the user. Anotherservice, Service 4 b 744 may also be provided by another platform on theenterprise system that also provides the rewards tier of the user. Forexample, Service 4 b may be part of a travel platform that alsomaintains the rewards tier of the user. By recognizing that two services(e.g., Service 4 and Service 4 b) provide the same data resource, amonitoring application can recommend corrective action to reconfigure amonitored application to retrieve a missing data resource from anotherservice when a first service enters an unhealthy state, as discussedfurther herein.

FIG. 8 depicts a flowchart illustrating an example method 800 forbuilding a dependency map for a target application and notifying a userof a data resource associated with a problem dependency of the targetapplication. Method 800 may be performed by any suitable computingdevice, such as a monitoring device, as was described above with respectto method 500.

At step 805, the monitoring device may begin configuring a monitoringapplication to monitor a target application. The monitoring applicationmay be initially configured to identify the application and one or moreoperating metrics of the application itself, in accordance with aspectsdescribed herein. To configure the monitoring application to monitordependencies of the target application, the monitoring application mayneed to determine dependencies of the target application (as in step 505of FIG. 5).

At step 810, the monitoring device may build a dependency map for thetarget application. The dependency map may be a logical tree structurethat tracks the application and its relationship with each of itsdependencies. The dependency map may be structured as a tree to indicatehow each service depends on another, and to model how the applicationultimately depends on each service in the dependency map. Building thedependency map for the target application may be accomplished throughsteps 815-830.

At step 815, the monitoring device may identify dependencies of thetarget application. Dependencies of an application or other service maybe determined using several techniques and sources of information. Datalineage documentation may list the dependencies of an application. Suchdata lineage documentation may have been generated by designers,developers, or administrators of the relevant system to track whatservices the application depends on. The dependency analyzer mayleverage this existing documentation to determine dependencies of theapplication, when available. The dependency analyzer may, additionallyand/or alternatively, use other techniques in determine dependencies ofthe application such as by analyzing API call logs associated with theapplication to determine which APIs are called by the application. Asanother example, the dependency analyzer may crawl monitoring interfacesassociated with the target application to determine which possibledependencies the monitoring application is tracking to update anoperating status of the application.

At step 820, the monitoring device may identify sub-dependencies of thetarget application, which may be further dependencies of the servicesthat the target application relies on. As with determining the immediatedependencies of the application in step 815, dependencies of a service(that is a dependency of the target application) may be determined usingseveral techniques and sources of information. Data lineagedocumentation may list the dependencies of that service. Such datalineage documentation may have been generated by designers, developers,or administrators of the relevant system to track what other servicesthe service depends on. The dependency analyzer may leverage thisexisting documentation to determine dependencies of the service, whenavailable. The dependency analyzer may, additionally and/oralternatively, use other techniques in determine dependencies of theservice such as by analyzing API call logs associated with the serviceto determine which APIs it calls. The dependency analyzer may, forexample, analyze API call logs to see the cascade of downstream APIcalls triggered by calls to a dependency of the service. Message IDsassociated with the API call to the dependency may be used to correlateentries in the API call logs and determine which downstream callscorrespond to the original API call. Based on determining that adownstream API gets called as a result of a call to a dependency, themonitoring device may determine that the downstream API is a furtherdependency of the service (and a sub-dependency of the application). Asanother example, the monitoring device may use patterns of failuredetermined by using machine learning models to process system eventinformation, as explained further herein with respect to FIGS. 12-16, toinfer dependency relationships among services. And chaos testing, suchas through the API call interception techniques discussed further hereinwith respect to FIGS. 17-19, may be used to infer application andservice dependencies based on determining a correlation between outageof a dependency service and outage of the application/service. Althoughillustrated as two steps 815 and 820, identifying the dependencies andsub-dependencies of the target application may be done as one step anyof the techniques described above may be used to determine bothimmediate dependencies and further sub-dependencies.

At step 825, the monitoring device may build the dependency map based onthe determined dependencies and sub-dependencies and the relationshipsbetween them. The monitoring device may build, as the dependency map, adependency tree indicating the functional and/or logical relationshipbetween the monitored application, its immediate dependencies, andfurther dependencies of those immediate dependencies. The dependencytree may be logically represented as a series of nodes, with each nodecorresponding to the application, an immediate dependency, or a furtherdependency.

Building the dependency tree for the target application may take intoaccount and avoid redundant and/or circular dependencies as illustratedat step 830. The dependency mapping logic may consider whether adependency is already present in the dependency tree, and may remove itfrom the tree and/or avoid adding the redundant dependency. Themonitoring device may also be configured to avoid circular dependencies,detecting that a dependency structure would cause a loop in thedependency tree. The monitoring device may avoid adding the relationshipthat would complete the loop, avoiding complications of having a loop inthe tree graph while still allowing each dependency to be traversed.

The dependency analyzer may build the tree according to a generalizedalgorithm, which may combine aspects of steps 825 and 830. Thedependency analyzer may iterate over the identified dependencies for thetarget application. For a current service, the dependency analyzer maydetermine whether the current service already exists in the dependencymap. If it does already exist, the current service will not need to beadded to the dependency map again. If the current service is not in thedependency map, the dependency analyzer may get the data lineage for thecurrent service. The current service and each of its dependencies may beadded to a tree of the dependency map based on the data lineage for thecurrent service. If any sub-trees in the existing tree, prior to addingthe current service, are also included in the current service's datalineage, the dependency analyzer may remove the existing sub-trees andproperly add them as part of the dependency tree of the current service.Operation of this algorithm on environment 700 of FIG. 7 is explainedfurther below with respect to FIGS. 9A-E, which depict the state of thedependency map corresponding to application 701 as the tree is built bythe dependency analyzer.

As an initial step in building the dependency tree corresponding toenvironment 700, the dependency analyzer may get a set of dependenciesfor application 701. A data lineage document, for example, may list thedependencies of application 701 as {Service B, Service A, Service C,Service D}. The dependency analyzer may iterate over the dependencies ofapplication 701 to build a complete dependency map. First, thedependency analyzer may get the data lineage for Service B and add it tothe dependency map, as shown in tree 900 of FIG. 9A. Second, thedependency analyzer may get the data lineage for Service A and add it tothe dependency map, as shown in tree 910 of FIG. 9B. Third, thedependency analyzer may determine that the existing sub-tree for ServiceB is fully included in the data lineage for Service A, and may removethe existing sub-tree for Service B when adding the data lineage forService A as shown in tree 920 of FIG. 9C. Fourth, the dependencyanalyzer may determine the data lineage for Service C, which has nodependencies, and see that the data lineage for Service C is alreadyreflected in tree 920 of FIG. 9C because Service C is a dependency ofService A. Thus the dependency analyzer may skip re-adding Service C tothe dependency map. Fifth, the dependency analyzer may get the datalineage for Service D and add it to the dependency map as in tree 930 ofFIG. 9D. Sixth, in some implementations, because Service D and Service Bboth depend on Service 1, the dependency analyzer may eliminate furtherredundancy by updating the dependency map to have Service D and ServiceB depend on a same node corresponding to Service 1 as in tree 940 ofFIG. 9E.

Returning to FIG. 8, at step 845, the monitoring device may identifydata resources associated with the dependencies. As discussed above,each service may correspond to one or more data resources. The dataresource may be data that the service is responsible for handling, ormay be data handled by a software application or platform associatedwith a microservice like an API. The data resource associated with aservice may be the information that upstream applications or otherservices rely on the service to provide. In some implementations, thedata resources associated with a service may include a set of dataresources that, if absent, may each cause the service to have anunhealthy operating status.

At step 850, the monitoring device may configure the monitoringapplication to monitor the target application and its dependencies usingmonitoring interfaces corresponding to the dependencies in thedependency map. At step 855, the monitoring device may determine aproblem dependency that has an unhealthy operating status. Steps 850 and855 may largely correspond to the similar steps and correspondingsub-steps discussed in FIG. 5.

At step 860, the monitoring device may notify a user that the problemdependency has an unhealthy status and may identify a likely problemdata resource. The monitoring device may determine a data resourceassociated with the problem dependency and notify the user that the dataresource may be the source of the performance problems. In someembodiments, the monitoring device may evaluate operating metrics anderror messages associated with the problem dependency to determinewhether the data resource is the likely cause of the problems. Thisevaluation may also help the monitoring device to generate arecommendation regarding which data resource of a set of data resourcesassociated with the problem dependency are likely to have caused theproblem. The notification may indicate an error message associated withthe specific problem dependency. Surfacing the error message provided bythe root cause of the problem may enhance the ability of anadministrator to troubleshoot and correct unhealthy system performance.

The monitoring device may identify a likely problem data resource andsurface that to the user via notifications. A system administrator mayreview the problem data resource and determine appropriate correctiveaction. For example, if the data resource is offline, the administratormay dispatch a technician to inspect hardware associated with the dataresource. As another example, if the data resource has an unhealthyoperating status, the administrator may send recovery commands to thedata resource, such as through a command line interface or graphicaluser interface. Recovery commands may include acts such asrestarting/rebooting the data resource and/or dependency, allocatingadditional resources to the data resource and/or dependency, adjustingone or more parameters associated with the data resource and/ordependency, and others. If the data resource is available elsewhere inthe system, one corrective action may be to reconfigure the targetapplication to retrieve the data resource from another service. This isdescribed further below with reference to FIGS. 10 and 11.

FIG. 10 depicts another example environment 1000 where a problem 1005 isimpacting performance of application 701, and causing application 701 toreport an unhealthy operating status (perhaps healthy but for thefailing dependency). Environment 1000 generally corresponds toenvironment 700, and the other elements are the same. Service 4 may beidentified as the likely root cause of the performance issues stemmingfrom problem 1005 using, e.g., method 500 of FIG. 5. For example, thesystem may see that Service D has an unhealthy operating status, butthat Services A, B, and C are each healthy. The system may see thatService 4 is unhealthy while Service 5 is healthy. And the system maysee that Service 4 is a last level service that has no dependencies ofits own. Thus, the system may conclude that Service 4 is likely the rootcause of the performance issues.

As discussed above with respect to FIG. 7 and environment 700, a dataresource provided by Service 4 is also available from Service 4 b. Themonitoring device may determine that Service 4 b has a healthy operatingstate, and may generate a recommendation that application 701 bereconfigured to get the data resource from Service 4 b instead offailing Service 4 via path 1013. Similarly, the monitoring device maydetermine that Service D may be reconfigured to get the data resourcefrom Service 4 b instead of failing service 4 via path 1011. Themonitoring device may include a suggestion regarding the reconfigurationof either the application 701 of Service D in a report. This isdiscussed further below with respect to FIG. 11.

FIG. 11 depicts a flowchart illustrating a method 1100 of generating arecommendation regarding reconfiguring a target application based ondetermining that a problem dependency has an unhealthy operating status.Method 1100 may proceed through steps 1005 through 1055 of FIG. 10.After the monitoring device detects that the problem dependency has anunhealthy operating status in step 1055, the monitoring device mayproceed to determine a recommended corrective action.

At step 1160, the monitoring device may determine that the data resourceprovided by the problem dependency is available from another service. Asexplained above, in an enterprise system, many different services mayexist. Some APIs in an enterprise system may provide access to the samedata resource. By recognizing that two services (e.g., Service 4 andService 4 b) provide the same data resource, a monitoring applicationcan recommend corrective action to reconfigure a monitored applicationto retrieve a missing data resource from another service when a firstservice enters an unhealthy state, as discussed further herein.According to some aspects, the other service need not provide the sameidentical data resource, and the monitoring device may be configured toallow for suitable, yet non-identical replacement.

At step 1165, the monitoring application may generate the recommendationregarding corrective action and provide it to the user. In some cases,the recommendation may prompt the user to take steps to reconfigure theapplication and/or dependencies. Additionally, and/or alternatively, therecommendation may be presented to the system administrator as a stepthe monitoring application can automatically implement once theadministrator approves. In some cases and implementations, administratorapproval may not be required and the monitoring device may proceed toautomatically reroute requests destined for the problem dependency tothe recommended replacement service. Recommendations may further includedetermining proposed system operations based on determining that thedata resource is available from another service. Optimizations may seekto reduce the number of dependencies needed to obtain the data resource.

Thus, according to some aspects, a computer-implemented method forbuilding a dependency map for an application or other service isprovided. The method may be implemented by any suitable computingdevice, such as a monitoring device. The monitoring device may identifyone or more first Application Programming Interfaces (APIs) that aredependencies of a first application. The monitoring device may determineone or more second APIs that are dependencies of each respective firstAPI. The monitoring device may build the dependency map for the firstapplication based on at least the one or more first APIs and the one ormore second APIs. The monitoring device may identify data resourcesassociated with each respective API in the dependency map. Using amonitoring interface providing one or more metrics regarding eachdependency in the dependency map, the monitoring device may determinethat a third API has an unhealthy operating status based on the one ormore metrics satisfying one or more unhealthy operating statusthresholds. The monitoring device may generate a notification, by themonitoring application, identifying a particular data resource providedby the third API and indicating that the unhealthy operating status ofthe third API is impacting performance of the first application. Themonitoring device may determine, by the monitoring application, that theparticular data resource is available from a fourth API. And themonitoring device may generate, by the monitoring application, anotification that the first application can be reconfigured to obtainthe particular data resource from the fourth API and/or automaticallyreconfigure the first application to obtain the particular data resourcefrom the fourth API.

In some implementations, the monitoring device may determine an errorstatus message provided by the third API or the particular dataresource. The notification identifying the particular data resourceprovided by the third API may include the error status message.

In some implementations, identifying the first and second APIs may bebased on data lineage documentation associated with the firstapplication and the first APIs. Determining the one or more second APIsmay be based on an API call log associated with an API call made by thefirst application. The API call log may indicate a message ID of the APIcall made by the first application and comprises a record of each APIinvolved in processing the API call. Identifying the one or more firstAPIs that are dependencies of the first application may additionallyand/or alternative be based on determining APIs that are associated witha first plurality of monitoring interfaces configured to monitor thefirst application. Determining the one or more second APIs that aredependencies of each respective first API may be based on determiningAPIs that are associated with respective second pluralities ofmonitoring interfaces configured to monitor the respective first APIs.Identifying the one or more first APIs or determining the one or moresecond APIs may be based on a pattern of performance indicating that thefirst application relies on a service of a given API, wherein thepattern of performance is determined using a machine learning modeltrained based on clustering system status information associated withpast events where the first application had an unhealthy operatingstatus. And identifying the one or more first APIs or determining theone or more second APIs may be based on causing a given API to simulatean unhealthy operating status. The monitoring device may determine thatthe first application develops an unhealthy operating status based onthe simulated unhealthy operating status of the given API.

In some implementations, building the dependency map for the firstapplication may include adding the one or more first APIs to thedependency map as dependencies of the first application; adding the oneor more second APIs to the dependency map as dependencies of acorresponding first API; and adding one or more other APIs to thedependency map as further dependencies of the one or more second APIs.Adding the one or more second APIs or one or more other APIs may includedetermining, for a fourth API of the one or more second APIs or one ormore other APIs, that a same API is already present in the dependencymap and omitting the fourth API from the dependency map based on thesame API being present in the dependency map.

In some implementations, the monitoring device may automaticallyconfigure the monitoring application to utilize a plurality ofmonitoring interfaces configured to report one or more metricscorresponding to the one or more second APIs based on determining theone or more second APIs that are dependencies of each respective firstAPI.

Intelligent Services

According to some aspects, the monitoring device may utilize machinelearning techniques to determine patterns of performance based on systemstate information associated with performance events. System stateinformation for an event may be collected and used to train a machinelearning model based on determining correlations between attributes ofdependencies and the monitored application entering an unhealthy state.During later, similar events, the machine learning model may be used togenerate a recommended action based on past corrective actions. Themonitoring application may also use information about baseline (and/orwaterline) performance and unhealthy performance events to generate ahealth report using the trained model, indicating to a user informationsuch as a predicted likelihood that the monitored application will enteran unhealthy operating state. This may allow the system to proactivelyprovide users with information about and predict potential conditionsthat may cause the monitored application to become unhealthy. It mayalso allow the system to reactively generate recommended actions torestore the monitored application to a healthy state.

When a monitoring application determines that an application and/or oneof its dependencies has an unhealthy operating status, such as in themanner discussed above with respect to FIG. 6, the monitoring device mayrecord a system snapshot associated with the unhealthy operating status.The monitoring device may collect system snapshots at other times,including during normal operation, at times prior to when the unhealthyoperating status occurs, and subsequent to recovery of the system and areturn to healthy operating status. Armed with data about thesedifferent conditions of the system (e.g., what it looked like whenthings were good, what it looked like just before an unhealthy event,what it looked like during the unhealthy event, and what it looked likejust after recovery from the unhealthy event), a machine learning modelmay be trained to make recommendations based on a current state of thesystem regarding the likelihood that a monitored application will enteran unhealthy operating state. The machine learning model may be trainedto recognize emergent patterns of failure (and more generally, patternsof performance) based on clustering system attribute information todetect correlations between attributes of a dependency and theapplication entering an unhealthy operating state.

FIG. 12 depicts an example architecture 1200 for using machine learningprocesses in conjunction with a monitoring application 1230, accordingto one or more aspects of the disclosure. Architecture 1200 may besimilar to architecture 400 of FIG. 4, and like numbered elements ofFIG. 12 may correspond to the same or similar elements in FIG. 4.

Monitoring application 1230 may correspond to monitoring application 430of FIG. 4, but is illustrated with additional details of the smartdatabase and machine learning aspects. Monitoring application 1230 maybe configured to utilize monitoring interfaces 420 to monitor the statusof application 401 and its dependencies, services 403 a-n. Monitoringapplication 1230 may interface with intelligent services componentsincluding smart database 1247 and machine learning processes 1249 toenable use of artificial intelligence and/or machine learning techniquesto generate predictions regarding system operating status and correctiveactions.

When monitoring application 1230 detects that the monitored application,or one of its dependencies, has an unhealthy operating status,monitoring application 1230 may store event record data in smartdatabase 1247. The event record may comprise an indication of theapplication or other service having the unhealthy operating status, andmay comprise one or more metrics obtained via monitoring interfaces 420.For example, an event record associated with the monitored applicationor other service having an unhealthy operating status may includeoperating metrics such as: number of transactions received per second,number of transactions handled per second, error rate, latency, networkutilization, network speed, memory utilization, processor utilization,other resource utilization, latencies to individual dependencies, errorrates of individual dependencies, error messages of an application orservice, error messages of a dependency, and/or any other suitableoperating metrics.

Event records in smart database 1247 may also comprise informationcorresponding to a snapshot of the system at the time of the event. Datacollecting agents 1250 may operate to dump system state informationregarding system status into an event record at the time of the event.For example, a data collecting agent may dump the contents of amessaging queue associated with the monitored application into the eventrecord. Any suitable data about the system environment surrounding theapplication at the time of the performance event may be collected bydata collecting agents 1250. Collected data may relate to hardwarestatus, virtual infrastructure status, cloud resource status, CPU orother processor status, memory available and/or utilization, securitystructures and identified risks, traffic parameters including latencyand/or call volume, runtime stack and/or other attributes of the runtimeenvironment, JAVA stack, variable values, memory allocations, and thelike.

The event records and other system information stored in smart database1247 may be used by machine learning process 1249 to train a machinelearning model and determine potential patterns of performance for themonitored application. A pattern of performance may indicate acorrelation between an attribute of a dependency and the performance ofthe monitored application. Machine learning processes 1249 may considerdifferent types of patterns of performance, including patterns offailure, patterns of latency, patterns of risk, and other suitablepatterns of performance.

A first type of pattern of performance assessed by the machine learningprocesses 1249 may be a pattern of failure. A pattern of failure mayindicate a potential correlation between an attribute of the systemstate information and the monitored application entering the unhealthyoperating state. For example, the system may determine that when latencyassociated with calls to an accounts API increases above 100 ms, themonitored application is likely to enter an unhealthy operating state.

Another type of pattern of performance assessed by the machine learningprocesses 1249 may be a pattern of risk. A pattern of risk may indicatea potential correlation between an attribute of the system stateinformation and a level of security risk to the monitored applicationand/or system. For example, the system may determine that recent updatesto an authentication framework in the system results in an increasedsecurity risk of unauthorized access to the system.

And another type of pattern of performance assessed by the machinelearning processes 1249 may be a pattern of latency. A pattern oflatency may indicate a potential correlation between an attribute of thesystem state information and a latency associated with requests to themonitored application. For example, when a number of requests per secondassociated with a dependency of the monitored application goes up,latency associated with requests to the monitored application mayincrease.

Machine learning processes 1249 may determine these and other patternsof performance by clustering event records stored in smart database1247. By applying clustering algorithms to the various system stateinformation elements across a set of event records, the machine learningprocesses may determine emergent trends. Clustering may group similarevents and determine common conditions associated with those events. Theself-optimizing action of the clustering techniques may enable themachine learning processes to develop and train a model that canidentify the patterns of failure and other patterns of performance Bydetecting the common conditions associated with a class of events, themachine learning processes may learn to recognize live conditions thatindicate that the monitored application may be likely to enter anunhealthy operating state. Clustering may determine that an eventcaptured in an event record is similar to one or more other events, andmay organize the event records into groupings by generated event types.

Monitoring application 1230 may also store corrective actions associatedwith an event in smart database 1247. For example, when monitoringapplication 1230 detects that a monitored application or other servicehas an unhealthy operating state, the data collecting agents may dumpsystem state information into smart database 1247. Monitoringapplication 1230 may further track corrective actions taken by a systemadministrator, and may store indications of the corrective action insmart database 1247 as well in association with the event records. Thus,machine learning processes 1249 may also learn from the correctiveactions associated with the event records and generate a recommendationthat similar corrective action be taken when similar conditions arise ata later time.

Machine learning processes 1249 may be trained on a set of event recordscollected over time by monitoring when any of the APIs enter anunhealthy state, collecting system state information each time in smartdatabase 1247. The machine learning processes 1249 may group the eventrecords and determine multiple event types based on clustering the eventrecords. As an example, consider a system with four monitoredapplications each comprising an API (APIs #1, #2, #3, and #4). A hightraffic event type A, in this example, may cause API #1 to sufferlatency problems, and the corrective action may be to failover trafficto a backup server. An unhealthy instance event type B may cause APIs#1, 2, 3, and 4 each to fail. Corrective action for event type B mayinvolve failover to the backup server, but also a rollback of changesmade somewhere in the environment. An event type C may be any event thataffects API #2 and API #4 due to a common dependency. Restoration actionfor event type C may be to rollback a recent change and also deploy moreCPU resources to the common dependency. And an event type D may be anextension of event type C where there is also a high traffic event,where restoration action may require even more CPU resources.

Machine learning processes 1249 may train a machine learning model basedon the event records to identify types of events and associated patternsof performance. Once the model is trained on these patterns ofperformance, a current operating status of the monitored application andsystem may be used by the machine learning processes to generatepredictions regarding the likelihood that the system will enter anunhealthy state. If the system is in an unhealthy state, or ifconditions seem ripe for the system to enter an unhealthy state, themachine learning processes 1249 may generate a recommended action torestore the system to a healthy state.

Recommended actions may take the form of control gates 1260. The trainedmachine learning model may be used to generate a recommendationregarding corrective action to be taken based on a current operatingstatus and corrective action that was taken in past, similar events.Gates may comprise a recommended corrective action, and may be manual,automatic, and/or hybrid in nature. For example, a first gate maycorrespond to a notification prompting users 441 to roll back a recentchange that correlates with an increased security risk. Another gate maycorrespond to an automatic gate that instructs administrative processes445 to automatically deploy extra resources to a dependency that isexperiencing increased traffic. And an example hybrid gate may compriseboth an automatic component and a manual component, such as an automaticstep to reroute traffic to a backup server and a user notificationprompting the user to reboot the main server. Automatic actions may belimited to a “do no harm” philosophy, with low impact actions likeadding more resources or acting in an 100% confidence setting handledautomatically, while corrective action that may have user impacts,higher costs, or security risks may be handled through manual gates.

Smart database 1247 may also store non-event, status records thatcapture normal operation of the monitored application and itsdependencies. Status records may capture the picture of the system at agiven time, and may be used by the machine learning process 1249 ontheir own and/or in conjunction with the event records. For example,machine learning processes 1249 may use the status records associatedwith a healthy operating status of the monitored application todetermine a baseline performance expectation for the monitoredapplication. Knowing the baseline may enable the machine learningprocesses to better identify anomalous attributes in event records thatmay contribute to the monitored application having and unhealthyoperating status. And the baseline may be relevant to generating asystem health report, allowing the machine learning processes togenerate a prediction regarding the likelihood that individualapplications and other services may enter an unhealthy operating state.

Aspects of the intelligent services features discussed herein, makinguse of smart database 1247 and machine learning processes 1249, maybuild a model that recognizes conditions that lead to system problems.Current status information obtained by continuous monitoring usingmonitoring application 430/1230, as discussed throughout this document,may be fed into the trained model to determine whether the system islikely to enter an unhealthy operating state and generaterecommendations for corrective actions. When the monitoring devicedetects an event that the trained machine learning model predicts maylead to unhealthy operation for the monitored application and/or system,the monitoring device may provide a recommended action through themanual, automatic, and hybrid gates discussed above. Corrective actionsrecommended may include spinning up a new node, assigning additionalresources to a problem dependency, failover bypass to other services,communication with other system administrators, reboot, rollbacks, andany other suitable corrective action to address problems affecting theperformance of the monitored application and/or system.

FIG. 13 depicts a flowchart illustrating an example method 1300 forgenerating a recommendation regarding operation of a target, monitoredapplication based on a current operating status. Method 1300 may beperformed on any suitable computing device, in similar fashion to thatdiscussed above for method 500 of FIG. 5. For example, method 1300 maybe performed on a monitoring device implementing monitoring application1230, smart database 1247, and machine learning processes 1249 of FIG.12.

At step 1305, the monitoring device may configure the monitoringapplication to monitor a target application and its dependencies usingone or more monitoring interfaces. At step 1310, the monitoring devicemay monitor the status of the target application and dependencies. Andat step 1315, the monitoring device may detect that the targetapplication has an unhealthy operating status. Steps 1305-1315 maycorrespond generally to the steps illustrated in FIG. 5.

At step 1320, the monitoring device may collect system state informationand store it as an incident/event record in a smart database. Forexample, data collecting agents (such as data collecting agents 1250)may gather and dump system state information to provide a snapshot ofthe system state of the time that the monitored application has anunhealthy operating status. The collected system state information forthe event record may include information corresponding to the variousdependencies of the monitored application, including attributes of therespective dependencies.

At step 1325, the monitoring device may train a machine learning modelbased on a set of incident records. Once multiple event records arestored in the smart database, the machine learning processes may clusterthe events and determine emergent trends and patterns of performance foruse in generating predictions regarding operation of the monitoredapplication.

At step 1335, the monitoring device may train the machine learning modelby clustering incident events based on attributes in the system statusinformation associated with each event record. In particular, incidentevents associated with the monitored application may be clustered basedon attributes of the dependencies of the monitored application. Inperforming the clustering, the monitoring device may group the differentincident events based on commonalities, such as a scope and nature ofservice impact, the types and identity of services impacted, the stateof dependencies of the monitored application, corrective action taken,and the like.

At step 1340, the monitoring device may determine correlations betweenattributes of the dependencies of the monitored application and theunhealthy operating status of the monitored application. For example,when a first dependency of the monitored application has a high latencyattribute, the monitored application may show a pattern of performanceby also suffering from high latency. Correlations between attributes ofdependencies (and/or system state information) and the operating statusof the monitored application may be learned by the machine learningmodel as patterns of performance.

Patterns of performance may be determined based on any suitable elementof system status information, or combinations thereof. For example, inclustering the event records the monitoring device may determine apattern of performance associated with a time of day. In an example, aparticular service may be determined to have a high likelihood ofbreaking every day at a particular time, such as a navigation serviceduring rush hour. As another example, seasonality may be taken intoaccount and determined to support a pattern of performance. In anexample, an ecommerce platform may be more likely to fail during theholiday shopping season than during the rest of the year. Clustering andtraining the machine learning model may be able to uncover theseemergent patterns of performance through recognizing common attributesamong different event records.

At step 1345, the monitoring device may update the machine learningmodel based on the determined patterns of performance. The monitoringdevice may resume monitoring the target application and itsdependencies, continuing to train the model further based on additionalincident events.

At step 1350, the monitoring device may determine a current operatingstatus of the monitored application and its dependencies. As discussedpreviously with respect to FIGS. 5 and 6, the monitoring device may useone or more monitoring interfaces configured to obtain operationalmetrics associated with performance of the monitored application and itsdependencies.

At step 1355, the monitoring device may use the trained machine learningmodel to generate a recommendation regarding operation of the monitoredapplication based on the current system status. For example, the trainedmachine learning model may enable the monitoring device to recognizethat certain conditions at a first dependency are associated with apattern of failure that the monitoring application has a 20% chance ofentering an unhealthy operating status. Based on this pattern offailure, the machine learning processes may generate a recommendationthat the user take corrective action to address the issues before theycause the monitored application to enter the unhealthy operating status.

The determined patterns of performance may also be useful in improvingthe configuration of the monitoring application. For example, thedetermined patterns of performance may be used to infer dependencyrelationships. If an unhealthy state of a monitored application iswell-correlated with outage of another resource, it may be inferred thatthe monitored application may depend on that resource (or at least thatthey are interdependent). Similarly, the patterns of performance may beuseful in determining which operating metrics may be most relevant tomonitoring system health. For example, if latency issues are correlatedwith a high likelihood of failure, while high volume events only have aslightly increased change of failure, then the pattern of performancemay be used to recommend that the monitoring application be configuredto track monitoring interfaces providing latency metrics for themonitored application and dependencies.

FIG. 14 depicts a flowchart illustrating an example method 1400 forgenerating a recommendation regarding operation of a target, monitoredapplication based on a current operating status and past correctiveaction. Method 1400 may be performed on any suitable computing device,in similar fashion to that discussed above for method 500 of FIG. 5. Forexample, method 1400 may be performed on a monitoring deviceimplementing monitoring application 1230, smart database 1247, andmachine learning processes 1249 of FIG. 12.

At steps 1405, the monitoring device may configure the monitoringapplication to monitor a target application and its dependencies usingone or more monitoring interfaces. At step 1410, the monitoring devicemay monitor the status of the target application and dependencies. Andat step 1415, the monitoring device may detect that the targetapplication has an unhealthy operating status. Steps 1405-1415 maycorrespond generally to the steps illustrated in FIG. 5.

At step 1420, the monitoring device may collect system state informationand store it as an incident/event record in a smart database, in thesame manner as described for step 1320 of FIG. 13. For example, datacollecting agents (such as data collecting agents 1250) may gather anddump system state information to provide a snapshot of the system stateof the time that the monitored application has an unhealthy operatingstatus. The collected system state information for the event record mayinclude information corresponding to the various dependencies of themonitored application, including attributes of the respectivedependencies.

At step 1425, the monitoring device may update the incident/event recordto indicate corrective action taken by a system administrator. Themonitoring device may detect that the system administrator took certaincorrective action in response to the unhealthy operating status of themonitored application or other service, and may add this correctiveaction in association with the event record. The corrective action maybecome associated with the cluster of events that corresponds to theevent detected in step 1415. The monitoring device may detect thecorrective action based on a notification regarding the correctiveaction, such as through the administrator reporting the correctiveaction to the monitoring device. Additionally, and/or alternatively, themonitoring device may detect the corrective action through continuousmonitoring, detecting that a change to one or more attributes of themonitored application, its dependencies, or other element in the systemafter detection of the unhealthy status event.

At step 1430, the monitoring device may train a machine learning modelbased on a set of incident records and the corresponding correctiveactions. Once multiple event records are stored in the smart database,the machine learning processes may cluster the events and determineemergent trends and patterns of performance for use in generatingpredictions regarding operation of the monitored application. Step 1430may correspond to steps 1325, 1335, 1340, and 1345 of FIG. 13, thoughwith the addition that the clustering and training is further based onthe corrective action. The monitoring device may observe many differentchanges after detecting the unhealthy operating status event, and mayrecord each as system status information associated with resolution ofthe unhealthy operating status event. Through clustering, the monitoringdevice may identify which changes are effective to remediate particularproblems, and may recommend similar action in future unhealthy operatingstatus events. Thus, the monitoring device may observe many candidatesfor suitable corrective action, but based on correlating changes madeacross similar events may be able to determine corrective action thatmay address the issues underlying the unhealthy operating status event.

At step 1435, the monitoring device may determine a current operatingstatus of the target application and its dependencies. As discussedabove, operating status information for the target application and itsdependencies may be obtained by the monitoring application via one ormore monitoring interfaces configured to report operational metricsassociated with the monitored application and/or dependencies.

At step 1440, the monitoring device may generate a recommendationregarding operation of the target application based on the currentstatus of the target application and its dependencies, and further basedon the past corrective application. The monitoring device may determinethat the current status of the monitored application and/or otherservices fall within a pattern of performance recognized by the trainedmachine learning model. Based on determining that the current statusaligns with a determined pattern of performance, the monitoring devicemay generate a recommendation for corrective action to take to avoid themonitored application entering an unhealthy operating status and/orrestore normal operation.

The intelligent services features may also evaluate a current operatingstate of the monitored application and its dependencies to determineoverall system health relative to a baseline/waterline. Continuousmonitoring of the monitored application and its dependencies may allowthe monitoring application to present users with a health report for thesystem on request at a given time. Visualizations may be constructed tobetter convey the state of the monitored application, its dependencies,and the broader system. Performing such a waterline analysis may bebeneficial in allowing system administrators to quickly evaluate anoverall system health and take preemptive action as appropriate. It mayalso allow system administrators to answer questions such as “what is agood time to push out a big software update with minimal user impact.”Aspects described herein may account for interdependency between amonitored application and other services based on the learned patternsof performance, and may make attendant predictions regarding systemhealth based on the interdependency. If an interdependency is failing,then the risk of additional elements failing rises. According to someaspects, a monitoring application can evaluate and score these risksusing the intelligent services discussed herein. These aspects arediscussed further herein with respect to FIGS. 15 and 16.

FIG. 15 depicts a visualization 1500 corresponding to operatingenvironment 200 of FIG. 2. Visualization 1500 may provide a healthreport indicating operating metrics and predictions regarding the statusof the monitored application 201 and/or its dependencies. As illustratedin FIG. 15, the visualization or health report may indicate a percenthealth of each element in the system. For example, application 201 isdisplayed as having 45% health, which may be based on the machinelearning processes predicting that there is a higher than usual chancethat application 201 will enter an unhealthy state. Much like parsingthe dependency tree as discussed above with respect to FIGS. 5 and 6,the monitoring device may parse the tree to determine a predictedoperating health for each of the monitored application and itsdependencies. Continuing the illustrated example, services 221, 223, and227 appear to have normal operation. But service 225 is being impactedby downstream failures, and may have a low health of 40%—indicating thatthere is an increased likelihood that service 225 will enter anunhealthy operating state. Further, service 233 may be experiencingpartial outages. Monitoring device may be aware of the issues at service233 through observing the monitoring interfaces associated with service233 during on-boarding of the monitoring application. Yet service 241may not be reporting any issues, and that visualization 1500 illustratesservice 241 as having a 90% health.

Other operating metrics may be displayed through visualization 1500 aswell (not illustrated). For example, visualization 1500 may beconfigured to display latency requests per second, processorutilization, and/or any other suitable metric. Visualization 1500 mayinclude display elements configured to communicate to a user a likelyseverity of each issue included in visualization 1500. For example, ifthe trained machine learning model includes a pattern of failureassociated with dependency latency values above 100 ms, thenvisualization 1500 may use colors or other visual elements to indicatethe predicted severity of the identified issues.

Severity and predicted health may be determined by the machine learningmodel based on evaluating a current status against baseline operation ofthe monitored application and its dependencies. Moreover, the linesbetween the nodes may be used to represent another measurable variablerepresentative of the “load” between two linked nodes (not illustrated).Load may be traffic, criticality, and/or any other suitable metric.Choice of values to represent on the visualization using the lines maydepend on whether the nodes have an upstream relationship to themonitored application (where traffic load may be used) or a downstreamrelationship (where criticality of the dependency may be used). Like thenodes themselves, the connector lines themselves may have probabilisticscores as determined by the trained machine learning model.

Example factors that may increase risk of unhealthy performance in anenterprise system may include: changes within the interdependentsystems, events within the interdependent systems, traffic events,frequency of usage, brokenness of system, brokenness of interdependentsystems. Factors that may mitigate increased risk may include: relativeweights of the importance of various services, ability to look aside forredundant access to necessary data resources, caching allowing increasedresiliency to temporary outages.

The intelligent services aspects described herein may operate tovisualize the system status during a variety of loads and othersettings. A baseline visualization and system health report may begenerated based on normal operating status under typical loads, forexample. A waterline visualization and system healthy report may bebased on operating statuses measured during a high load event.Visualizing the baseline/waterline for the system, monitoredapplication, and its dependencies may provide system administrators witha more complete source of information to make decisions regardingperformance, security, and maintenance. Knowing what the system lookslike at a baseline, normal state of operations may facilitate betteridentification of when the system is in an abnormal or unhealthy stateof operation. Knowing what the waterline, high water mark for the systemlooks like, e.g., what the system operating status looks like under ahigh load, may facilitate management of the system in such a high loadscenario. For example, if a waterline report indicates that high loadsmay cause a key dependency of the monitored application to fail, anadministrator and/or the machine learning processes may determine toprovide additional resources to the key dependency to avoid problems.

The baseline and waterline visualizations and reports may facilitateoptimization of the system. An administrator and/or the machine learningprocesses may compare the baseline and waterline scenarios to determinewhat the system looks like in a typical scenario versus in a higher-riskstate. The administrator and/or machine learning processes may recommendand/or implement optimizations based on mitigating potential problemsassociated with the demands of the higher-risk state of the system. Byviewing the state of the system in a waterline report, administratorsand/or machine learning processes may identify that an attribute iscorrelated with high risk of failure to the system, and may implementsuitable corrective actions. Thus, the visualization of the baseline,waterline, and anywhere in between may provide actionable intelligenceallowing proactive steps to improve system performance and reliability.

FIG. 16 depicts a flowchart illustrating an example method 1600 forgenerating a health report for a target, monitored application based ona current operating status. Information about baseline and/or waterlineperformance of the system may inform the generation of the healthreport. Method 1600 may be performed on any suitable computing device,in similar fashion to that discussed above for method 500 of FIG. 5. Forexample, method 1600 may be performed on a monitoring deviceimplementing monitoring application 1230, smart database 1247, andmachine learning processes 1249 of FIG. 12.

At step 1605, the monitoring device may configure the monitoringapplication to monitor a target application and its dependencies usingone or more monitoring interfaces. At step 1610, the monitoring devicemay monitor the status of the target application and dependencies. Steps1605 and 1610 may correspond generally to the steps illustrated in FIG.5.

At step 1615, the monitoring device may collect system state informationassociated with normal, healthy operation of the system and store it asa status record in a smart database. For example, data collecting agents(such as data collecting agents 1250) may gather and dump system stateinformation to provide a snapshot of the system state at periodic times.The collected system state information for the event record may includeinformation corresponding to the various dependencies of the monitoredapplication, including attributes of the respective dependencies. In theillustrated method steps, method 1600 may use healthy system stateinformation to determine a baseline against which unhealthy system stateinformation is compared. But, as discussed above, the monitoring devicemay also collect system state information associated with a high loadoperation of the system and determine a waterline state of the system.The waterline state of the system may also be used by the machinelearning processes to determine potential problems present when themonitored application enters an unhealthy operating state.

At step 1620, the monitoring device may collect system state informationassociated with an unhealthy operating status of the monitoredapplication and store it as an incident/event record in the smartdatabase. For example, data collecting agents (such as data collectingagents 1250) may gather and dump system state information to provide asnapshot of the system state of the time that the monitored applicationhas an unhealthy operating status.

At step 1625, the monitoring device may train a machine learning modelbased on a combination of status and incident records. Once multipleevent records are stored in the smart database, the machine learningprocesses may cluster the events and determine emergent trends andpatterns of performance for use in generating predictions regardingoperation of the monitored application. The patterns of performance maybe further based on comparing system status information associated withan unhealthy operating status of the monitored application in theincident records against system status information associated with ahealthy and/or high load operating status of the monitored applicationin the status records.

At step 1630, the monitoring device may determine a system baselineand/or waterline representation based on the system status informationin the status records corresponding to the monitored application havingthe healthy (and/or high load) operating status. The conditions presentin the system during a healthy operating status may be used to informthe determination of patterns of failure (or other patterns ofperformance) from incident event records.

At step 1635, the monitoring application may train the machine learningmodel by clustering incident events based on attributes in the systemstatus information associated with each event record. In particular,incident events associated with the monitored application may beclustered based on attributes of the dependencies of the monitoredapplication. In performing the clustering, the monitoring device maygroup the different incident events based on commonalities, such as ascope and nature of service impact, the types and identity of servicesimpacted, the state of dependencies of the monitored application,corrective action taken, and the like. Clustering in step 1635 mayfurther be informed based on the baseline and/or waterlinerepresentations of the system.

At step 1640, the monitoring device may determine correlations betweenattributes of the dependencies of the monitored application and theunhealthy operating status of the monitored application. For example,when a first dependency of the monitored application has a high latencyattribute, the monitored application may show a pattern of performanceby also suffering from high latency. Correlations between attributes ofdependencies (and/or system state information) and the operating statusof the monitored application may be learned by the machine learningmodel as patterns of performance. The machine learning processes mayutilize the baseline and/or waterline representations of the system tobetter determine correlations between attributes of the dependencies andthe unhealthy status of the monitored application. For example, thebaseline and/or waterline representations may indicate an acceptablerange of latencies at the dependencies that do not typically lead to themonitored application entering the unhealthy state. The machine learningprocesses may use this information to avoid determining an impropercorrelation between latencies in that range and the unhealthy status ofthe application, and may evaluate other potential correlations. As withmethod 1300 of FIG. 13, clustering and training the machine learningmodel may be able to uncover emergent patterns of performance throughrecognizing common attributes among different event records.

At step 1645, the monitoring device may update the machine learningmodel based on the determined patterns of performance. The monitoringdevice may resume monitoring the target application and itsdependencies, continuing to train the model further based on additionalincident events.

At step 1650, the monitoring device may determine a current operatingstatus of the monitored application and its dependencies. As discussedpreviously with respect to FIGS. 5 and 6, the monitoring device may useone or more monitoring interfaces configured to obtain operationalmetrics associated with performance of the monitored application and itsdependencies.

At step 1655, the monitoring device may use the trained machine learningmodel to generate a health report for the target application anddependencies. The health report may comprise a visualization of themonitored application and its dependencies. The health report mayinclude one or more metrics regarding health of the system. For example,the health report may indicate a response latency associated withdependencies in the system. As another example, the monitoring devicemay determine a health score or other value indicating an overall healthof a system component. The health score may represent a likelihood thatthe system will stay in a healthy operating status and/or a likelihoodthat the system will enter an unhealthy operating status. For example, ahealth score of 90% may indicate that the current conditions at adependency are at 90% health, and there is a 10% chance that the currentconditions may lead to the monitored application entering an unhealthyoperating state within a given time period. The machine learningprocesses may generate the health scores based on comparing the currentoperating status of the system to the determined patterns of performanceCurrent attributes that are correlated with potential patterns offailure may be assigned a lower health score. The health scores may alsobe determined relative to the baseline and/or waterline scenarios. Asystem health score may be presented relative to the baseline, such aswhere the indicated health score corresponds to the likelihood thatcurrent attributes of a dependency may cause the monitored applicationto enter an unhealthy state above (or sometimes below) the baselinerisk. recommendation regarding operation of the monitored applicationbased on the current system status. For example, the trained machinelearning model may enable the monitoring device to recognize thatcertain conditions at a first dependency are associated with a patternof failure that the monitoring application has a 20% chance of enteringan unhealthy operating status. Based on this pattern of failure, thehealth report may indicate that the first dependency is likely to causethe monitored application to enter the unhealthy operating status. Thehealth report may use one or more visual cues to flag the health scorefor the first dependency as a high risk that may require attention.

The health reports, and the machine learning models trained by method1600, may enable administrators and/or machine learning processes toidentify critical dependencies that are strongly correlated to unhealthysystem performance. The model may be used to assess which criticaldependencies may cause a cascade of errors and bring the monitoredapplication down. By identifying critical dependencies, the monitoringdevice may enable administrators and/or machine learning processes totake proactive actions to address the most critical dependencies. Forexample, if a dependency is highly correlated with failure of thesystem, an administrator and/or machine learning process may configurethe system to provide additional resources to the critical dependency.Identifying the keystones that can cause the whole system to break mayimprove the overall healthy and resiliency of the enterprise system andmonitored application.

Health reports may also enable an administrator and/or machine learningprocess to make decisions about when to perform system updates orreleases. The trained machine learning model may be used to predicthealth scores based on current conditions, and the update or release maybe planned for a period when the system has a good health score tominimize the impact to users and the likelihood of causing the system toenter an unhealthy operating state.

Thus, according to some aspects, a computer-implemented method forgenerating predictions regarding system health may be provided. Themethod may be performed by any suitable computing device, such as amonitoring device. The monitoring device may configure a monitoringapplication to monitor a first application and a plurality ofdependencies of the first application using a plurality of monitoringinterfaces. The monitoring device may detect, by the monitoringapplication and based on the plurality of monitoring interfaces, thatthe first application has an unhealthy operating status. The firstapplication may be determined to have an unhealthy status based onwhether one or more metrics associated with the first applicationsatisfy one or more operating status thresholds. One or more datacollecting agents may collect, based on detecting that the firstapplication has the unhealthy operating status, system state informationcorresponding to the first application and each of the plurality ofdependencies. The monitoring device may store the collected system stateinformation in a database as a first incident record corresponding to afirst incident event and comprising incident attribute information forthe first application and each of the plurality of dependencies.Collected incident attribute information corresponding to the firstdependency may comprises information indicating one or more of: whethera resource associated with the first dependency is accessible; aresponse latency associated with requests to the first dependency; anerror rate associated with requests to the first dependency; or an errorstate or error message provided by the first dependency. In someimplementations, the first incident record may include timinginformation associated with the first incident event. Determining thefirst pattern of performance may be based on the timing informationassociated with the first incident event and timing informationassociated with other incident events.

The monitoring device may train a machine learning model based on aplurality of incident records including the first incident record.Training the machine learning model may comprise clustering incidentevents corresponding to each of the plurality of incident records forthe first application. Clustering the incident events may be based onattributes of the system state information corresponding to each of theplurality of dependencies. The monitoring device may further train themachine learning model by determining one or more patterns ofperformance based on the clustered incident events. A first pattern ofperformance of the one or more patterns of performance may indicate apotential correlation between a first attribute of the system stateinformation corresponding to a first dependency and the firstapplication having the unhealthy operating status. The monitoring devicemay update the machine learning model based on the determined patternsof performance. In some implementations, the first dependency maycorrespond to an Application Programming Interface (API) associated witha resource utilized by the first application. In some implementations,the first dependency may correspond to a network utilized by the firstapplication to communicate with another dependency.

The monitoring device may detect, by the monitoring application andbased on the plurality of monitoring interfaces, a current operatingstatus of the first application and the plurality of dependencies. Usingthe trained machine learning model, the monitoring device may generate,based on the first pattern of performance and the current operatingstatus, a recommendation regarding operation of the first application orthe first dependency. Generating the recommendation regarding theoperation of the first application or the first dependency may comprisedetermining, using the machine learning model, a suggested action basedon incident records corresponding to the first pattern of performance.The suggested action may be, e.g., bypassing the first dependency. Thefirst incident record may further comprise information indicating acorrective action taken in response to the first incident event.Determining the suggested action based on incident records correspondingto the first pattern of performance may comprise determining, using themachine learning model, the suggested action based on the correctiveaction taken in response to the first incident event. The recommendationmay comprise a notification regarding the suggested application.Additionally, and/or alternatively, the recommendation may compriseautomatically implementing, by the monitoring application, the suggestedaction. A hybrid approach may be taken, where generating therecommendation regarding the operation of the first application or thefirst dependency comprises generating a user notification regarding afirst portion of the suggested action and automatically implementing, bythe monitoring application, a second portion of the suggested action.

According to some aspects, the first pattern of performance may be apattern of failure and may indicate a potential correlation between thefirst attribute of the system state information corresponding to thefirst dependency and the first application entering the unhealthyoperating status. According to other aspects, the first pattern ofperformance may be a pattern of risk and may indicate a potentialcorrelation between the first attribute of the system state informationcorresponding to the first dependency and a level of security risk tothe first application. And according to still other aspects, the firstpattern of performance may be a pattern of latency and may indicate apotential correlation between the first attribute of the system stateinformation corresponding to the first dependency and a latencyassociated with requests to the first application.

According to other aspects, a computer-implemented method for providinga report of current system healthy may be provided. The method may beimplemented by any suitable computing device, including a monitoringdevice. The monitoring device may configure a monitoring application tomonitor a first application and a plurality of dependencies of the firstapplication using a plurality of monitoring interface. The monitoringdevice may collect, by one or more data collecting agents and at a firsttime, first system state information corresponding to the firstapplication and each of the plurality of dependencies. The firstapplication may have a healthy status at the first time. The monitoringdevice may detect, by the monitoring application and based on theplurality of monitoring interfaces, that the first application has anunhealthy operating status at a second time. The monitoring device maycollect, by the one or more data collecting agents and based ondetecting that the first application has the unhealthy operating status,second system state information corresponding to the first applicationand each of the plurality of dependencies. The collected first systemstate information and second system state information may be stored in adatabase as a first status record and a second status record,respectively.

The monitoring device may train a machine learning model based on aplurality of status records, including the records from the healthy,first time and the records from the unhealthy, second time. Training themachine learning model may comprise clustering incident eventscorresponding to status records associated with the first applicationhaving an unhealthy status. Clustering the incident events may be basedon attributes of system state information, of a corresponding statusrecord, corresponding to each of the plurality of dependencies. Themonitoring device may determine one or more patterns of performancebased on the clustered incident events and the first system stateinformation. A first pattern of performance of the one or more patternsof performance may indicate a potential correlation between a firstattribute of the system state information corresponding to a firstdependency and the first application having the unhealthy operatingstatus. Training may further involve updating the machine learning modelbased on the determined patterns of performance Using the trained model,the monitoring device may generate, based on the first pattern ofperformance, a health report for the first application and the pluralityof dependencies. The health report may indicate a likelihood that thefirst application will enter an unhealthy status. The health report mayindicate at least one metric associated with the first dependency. Thehealth report may comprise a visualization of the plurality ofdependencies. The health report may indicate a likelihood that a currentcondition of the first dependency will cause the first application toenter an unhealthy state.

In some implementations, the monitoring device may detect, by themonitoring application and based on the plurality of monitoringinterfaces, a current operating status of the first application and theplurality of dependencies. Generating the health report for the firstapplication and the plurality of dependencies may be further based onthe current operating status of the first application and the pluralityof dependencies.

In some implementations, the monitoring device may determine alikelihood that a current condition of each dependency of the pluralityof dependencies will cause the first application to enter an unhealthystate. The healthy report may indicate that a second dependency, of theplurality of dependencies, is a most critical dependency based on thesecond dependency having a highest likelihood of causing the firstapplication to enter an unhealthy state.

In some implementations, the monitoring device may determine, using themachine learning model, a second dependency of the plurality ofdependencies that corresponds to a source of risk for the firstapplication. The monitoring device may generate, using the machinelearning model, a suggested action to mitigate a risk associated withthe second dependency.

In some implementations the monitoring device may determine, using themachine learning model and based on the status records, at least oneattribute of a second dependency of the plurality of dependencies thatis correlated with performance of the first application. The monitoringdevice may generate, using the machine learning model, at least onerecommended new monitoring interface to monitor the at least oneattribute of the second dependency. And the monitoring device mayconfigure the monitoring application to monitor the at least onerecommended new monitoring interface.

According to some aspects, a computer-implemented method may be providedfor determining that a service is a dependency of an application orother service. The method may be performed by any suitable computer,such as a monitoring device. The monitoring device may configure amonitoring application to monitor a first application and a plurality offirst Application Programming Interfaces (APIs) used by the firstapplication. The monitoring device may collect, by one or more datacollecting agents and based on detecting that the first application hasan unhealthy operating status, system state information corresponding tothe first application and each of the plurality of dependencies. Themonitoring device may store the collected system state information in adatabase as a first incident record corresponding to a first incidentevent and comprising incident attribute information for the firstapplication and each of the plurality of first APIs

The monitoring device may train a machine learning model based on aplurality of incident records including the first incident record.Training the machine learning model may include clustering incidentevents corresponding to each of the plurality of incident records forthe first application. Clustering the incident events may be based onattributes of the system state information corresponding to each of theplurality of first API. The monitoring device may determine one or morepatterns of performance based on the clustered incident event. A firstpattern of performance of the one or more patterns of performance mayindicate a potential correlation between a first attribute of the systemstate information corresponding to a second API, of the plurality offirst APIs, and the first application having the unhealthy operatingstatus. The monitoring device may complete initial training by updatingthe machine learning model based on the determined patterns ofperformance.

The monitoring device may determine, based on a determined first patternof performance, that the second API is a dependency of the firstapplication. The monitoring application may add the second API to adependency map associated with the first application. The monitoringapplication may determine, using a first monitoring interface configuredto provide one or more metrics regarding the second API, that the secondAPI has an unhealthy operating status based on the one or more metricssatisfying one or more unhealthy operating status thresholds. Themonitoring application may generate a notification, by the monitoringapplication, identifying a particular data resource provided by thesecond API and indicating that the unhealthy operating status of thesecond API is impacting performance of the first application.

API Call Interception and Testing

According to some aspects, a monitoring device may perform testsattempting to simulate unhealthy operating statuses in the applicationand dependencies. Results of this testing may be used to determineresiliency of the system to downstream unhealthy operating statuses. Andthis testing may be used to simulate unhealthy operating statuses in thesystem to generate real data that the intelligent services features mayuse to train the machine learning models. An interceptor may interceptcalls from a monitored application to an API that the applicationdepends on. The intercepted calls may be modified and passed on, in sucha manner that they return failed and/or unexpected results to theapplication. The interceptor may modify a result returned to an APIcall, such as by causing a portion of calls to timeout or yield errors.The interceptor may monitor performance of the application based on themodified calls and determine whether the monitored application is ableto recover from the simulated API problems. The intercepted calls may becached prior to modification, allowing the interceptor to regenerate theunmodified calls and insert them into a queue for processing if thatmonitored application is not able to recover. According to some aspects,the interceptor and simulated API problems may be used to train themachine learning model. The interceptor may act as a chaos agent,operating within the system to simulate problems at the various APIdependencies (and other dependencies) of the monitored application. Thismay allow for testing on live deployments with reduced impact to users.

FIG. 17 depicts an example architecture for testing applications basedon modifying API calls. The example architecture may include application1700, interceptor 1705, and APIs D1 1707 and D2 1709. API callsoriginating from application 1700 and intended for API D1 may beintercepted by interceptor 1705 and modified to simulate an unhealthyoperating status of API D1. The modified API calls may be sent on forfurther processing by the system, and may cause the API call to return afailed result. Additionally, and/or alternatively, interceptor 1705 mayintercept the API calls and return modified results simulating anunhealthy operating status of the intended API. A monitoring applicationmay monitor the impact of the failed results on application 1700 as partof a test of the resiliency of application 1700 to the unhealthyoperating status of the intended API.

Application 1700 may correspond to a monitored application in anenterprise system, as discussed previously and throughout thisdisclosure. For example, application 1700 may correspond to application201 and/or application 701 of FIGS. 2 and 7. A monitoring applicationmay be configured to monitor operation of application 1700 through oneor more monitoring interfaces that allow the monitoring application toretrieve one or more operating metrics associated with application 1700.Application 1700 may rely on one or more downstream dependencies toperform normal processing. In the architecture illustrated in FIG. 17,application 1700 may rely on API D1 1707 as a dependency. For example,API D1 may provide customer account information that application 1700may use to verify a transaction.

Application 1700 may issue an API call identifying API D1 and requestingthat API D1 perform some action, return some data, or provide anotherservice. Three API calls 1711, 1721, and 1731 are illustrated in FIG.17. Each may call a “hello” element of API D1. API call 1721 illustratesthat an API call may comprise a key value needed by “hello”, such as“1234”. For example, application 1700 may issue an API call requestingthat API D1 return account information, and the key value may be auserID used to identify the account. Each API call may be made viasystem processes, and the system may route the call to the proper API.

Interceptor 1705 may, however, intercept API calls 1711, 1721, and 1731.The system (e.g., through an operating system) may provide means bywhich interceptor 1705 may hook into the API D1, the application 1700,and/or other API processing systems. Interceptor 1705 may be configuredto hook into calls to API D1 and modify the calls before they are passedon to API D1. Interceptor 1705 may modify one or more aspects of the APIcalls in a manner that may cause the API calls to fail. This maysimulate an unhealthy operating status at API D1, for example.Interceptor 1705 may be configured to only intercept calls originatingfrom application 1700, and calls originating from other applicationsintended for API D1 may be unaffected. And interceptor 1705 may beconfigured to only intercept a subset of calls from application 1700 toAPI D1, such as during a requested test period and/or at randomintervals (as two examples).

As a first example illustrated in FIG. 17, API call 1711 may beintercepted and modified. API call 1711 may be modified from itsoriginal “/D1/hello” to “/D1/hello2”. “hello2” may be a non-existingelement, and a call to “/D1/hello2” may return a failed result.Interceptor 1705 may provide modified call 1712 to the system forprocessing in lieu of the original API call 1711. Modified call 1712 maybe sent to API D1, which may return an error 1713 indicating that“hello2” is a non-existent end-point.

As a second example illustrated in FIG. 17, API call 1721 may bemodified from its original “/D1/hello; key:1234” to “/D1/hello;key:9999”. Modified call 1722 may be provided to the system forprocessing, and may be sent to API D1. API D1 may return an internalserver error 1723 based on the improper key value in the modified call1722.

As a third example illustrated in FIG. 17, API call 1731 may be modifiedfrom its original “/D1/hello” to “/D2/hello”. This modification maycause the API call to be redirected to a different API D2 1709.Interceptor 1705 may cause the operating system to process modified call1732 in lieu of original call 1731. The operating system may routemodified call 1732 to API D2, which might still return a result 1733.But the unexpected result from API D2 may impact performance ofapplication 1700.

As another example, not illustrated, interceptor 1705 may returnsimulated bad results to the API calls instead of and/or in addition tomodifying and passing on the calls. Other aspects of an unhealthyoperating status of API D1 may be simulated through interceptor 1705,such as introducing additional response latency, artificially increasingan error rate of API D1, returning unexpected or erroneous results, andany other suitable aspect to simulate API D1 having an unhealthyoperating status.

A monitoring application associated with interceptor 1705 may observethe impact of the modified API calls and failed results on the operatingstatus of application 1700. One or more monitoring interfaces associatedwith application 1700 may be used to determine whether application 1700is able to recover from the simulated unhealthy operating status of APID1. Application 1700 may be designed to be resilient to an unhealthyoperating status at its downstream dependency API D1. For example,application 1700 may be configured to detect a timeout of a request toAPI D1 and resubmit the request at expiration of the timeout. As anotherexample, application 1700 may be configured to request a data resourceprovided by API D1 from another service capable of providing the dataresource when API D1 is unable to provide the data resource. As stillanother example, application 1700 may be configured to gracefully handlethe bad result by continuing to process a transaction to the best extentpossible given the absence of the data resource provided by API D1. Forexample, application 1700 could still generate a transaction report andmight just leave off a customer address and/or flag that item asrequiring attention.

If the monitoring application determines that application 1700 was ableto recover from the simulated unhealthy status of API D1, application1700 may be deemed to have passed the test. If instead the application1700 is not able to recover in a satisfactory manner, application 1700may have failed the test and an administrator and/or machine learningprocess may be notified. The administrator and/or machine learningprocess may determine corrective action to take to increase application1700's resiliency to an unhealthy operating status at API D1.

If application 1700 was not able to recover from the modified API calland/or failed result, then a transaction handled by application 1700 mayfail. If the system and application tested are live for use by users,then the testing performed by interceptor 1705 may impact live users.Simply having the transaction fail due to an artificially simulatedunhealthy system operating status may be unacceptable due to significantimpact to users. Thus, interceptor 1705 may have a cache 1706 and maystore unmodified API calls 1711, 1721, and 1731 in the cache. Ifapplication 1700 is not able to record from the corresponding modifiedAPI call, then interceptor 1705 may regenerate unmodified API call 1711,1721, and/or 1731 and provide them to the system for processing. Thus,despite the initial simulated failure of the call, API D1 may laterreturn a correct result expected by application 1705 and may properlyprocess the user's transaction. This may introduce minor user impactassociated with allowing time for the modified API call to impactapplication 1700, but may be so small that users do not notice. Forexample, the simulated unhealthy status and subsequent recovery of theoriginal API call may introduce only a few milliseconds of additionalresponse latency. In some embodiments, interceptor 1705 may regenerateand reintroduce unmodified API calls regardless of whether application1700 is able to gracefully recover from the simulated unhealthyoperating status.

Aspects described herein regarding API call interception and testing mayallow for testing system brokenness on a live deployment. Thesetechniques may create a randomized “safe” chaos testing with guardrailscontrollable by intelligent services features discussed above, and thesystem's resiliency may be tested against actual data, even if due to asimulated outage. Chaos testing using the API call interceptiontechniques described above may be guided and/or targeted based on thepatterns of failure (or other patterns of performance) determined by theintelligent services features. One advantage of the API callinterception techniques may be that calls from other applications to thesame API may remain unaffected while performing tests specific toapplication 1700. Another advantage is that chaos testing associatedwith data resource unavailability may be performed without actuallytaking the data resource down. This may allow for a quick recovery whentesting ends or if significant user impact is detected, rather thanrequiring that a resource subject to chaos testing be brought backonline. Instead of bringing the dependency down, the API callinterception techniques described herein may intercept and mutate callsto the dependency to simulate an unhealthy operating status. This mayresult in failed requests without actually impacting the called API.Techniques described herein may ruin the call, rather than break the APIitself. This may allow administrators to test a system withoutdestroying it.

FIG. 18 depicts a flowchart illustrating an example method 1800 fortesting the impact of an unhealthy operating status of a dependency on amonitored application. Method 1800 may be performed on any suitablecomputing device, in similar fashion to that discussed above for method500 of FIG. 5. For example, method 1800 may be performed on a monitoringdevice implementing interceptor 1705 of FIG. 17.

At step 1805, the monitoring device may initiate a testing procedure fora target application and/or dependency. The target application may beany type of service, such as a software application or API. The testingprocedure may be configured to evaluate the impact of a simulatedunhealthy operating status of downstream dependency on the targetapplication and/or dependency. Initiating the testing procedure may bedone based on a request from a user and/or machine learning process toperform the test. Initiating the testing procedure may also be donebased on a scheduled test plan and/or on a random basis. The monitoringdevice may configure a scope and nature of the test, such as throughdetermining one or more dependencies for which an unhealthy operatingstatus should be simulated and the particular problem that may becausing the unhealthy operating status. For example, a test may beinitiated that simulates the impact of increased response latencies over100 ms at a given dependency.

At step 1810, the monitoring device may intercept an API call from themonitored application and/or dependency to the dependencies subject tothe simulated unhealthy operating status. The monitoring device,implementing an interceptor application, may be configured to onlyintercept a subset of calls to the impacted dependencies. For example,the interceptor may be configured to only intercept calls originatingfrom the monitored application and to ignore calls from otherapplications. The intercepted API calls may be actual API callsgenerated by the monitored application during live deployment andoperation of the application, according to some aspects.

At step 1815, the monitoring device may cache the intercepted API callsin an unmodified state. The unmodified API calls may be cached to enablethe system to regenerate the original API calls if the monitoredapplication is not able to recover from the simulated unhealthyoperating status of the API, as discussed above.

At step 1820, the monitoring device may modify attributes of the APIcall and/or results returned to the target application. Variouspotential modifications and mutations were discussed above, and may beused in implementing step 1820. The modified call may be provided to thesystem for further processing. The modifications may cause the API callto return a failed result to the application.

At step 1825, the monitoring device may determine an impact of thefailed results on the monitored application. As discussed throughoutthis disclosure, a monitoring application may use one or more monitoringinterfaces to observe operating metrics of the monitored application.These operating metrics may be used to determine whether and how theoperating status of the monitored application is impacted by thesimulated unhealthy operating status of the API.

At step 1830, the monitoring device may evaluate whether the monitoredapplication was able to recover from the simulated unhealthy operatingstatus of the API and the failed API call results. If the monitoredapplication was able to recover, such as through retrieving necessarydata from an alternative data source, then the application may beconsidered to have passed the test at step 1835.

At step 1840, if the application is determined to have failed to recoverfrom the simulated unhealthy operating status of the API and failed APIcall results, the system may regenerate the original API call from thecache and insert it into the system's API call queue. The system mayprocess the unmodified API calls in the typical fashion and may returnexpected results to the monitored application which may completeprocessing an associated transaction. As a result, end users may seenothing more than a brief latency spike as a result of the simulatedunhealthy operating status of the dependency.

FIG. 19 depicts a flowchart illustrating an example method 1900 forusing the API interception techniques discussed above to train a machinelearning model, such as that used in the intelligent services featuresdiscussed above with respect to FIGS. 12-16. Like method 1800, method1900 may be implemented on a suitable computing device such as amonitoring device. Although described briefly here, method 1900 mayincorporate each of the features discussed above with respect to FIGS.13 and 18.

At step 1905, a monitoring device may configure a monitoring applicationmonitor a target application and its dependencies using one or moremonitoring interfaces. Step 1905 may correspond to step 1305 of FIG. 13and/or step 515 of FIG. 5, among other similar steps described herein.

At step 1910, the monitoring device may intercept API calls made by thetarget application and may modify the API calls and/or results to thoseAPI calls as discussed above. Step 1910 may correspond to steps 1810,1815, and 1820 of FIG. 18.

At step 1915, the monitoring device may detect that the targetapplication has an unhealthy status due to the failed results of the APIcalls. One or more monitoring interfaces configured to retrieveoperational metrics associated with the monitored target application maybe used to determine that the target application has an unhealthyoperating status. Step 1915 may correspond to step 1305 of FIG. 13.

The monitoring device may then use actual data corresponding to thesimulated performance incident to train the machine learning model insteps 1920, 1925, 1930, 1935, and 1940. These steps may correspond tosimilar steps in FIG. 13, including steps 1320, 1325, 1335, 1340, and1345. The trained machine learning model may be used to generaterecommendations regarding operation of the target application, asdescribed with respect to FIG. 13.

At step 1945, the monitoring device may determine an impact of themodified API call or results on the target application to assess whetheruser impact resulted. At step 1950 the monitoring device may determinewhether the application was able to recover from the simulated unhealthyoperating status of the dependency. If the API was able to recover,there may be no user impact and the target application may be consideredto pass the test at step 1955. If the API was unable to recover, and/oras a default response, the monitoring device at step 1960 may regeneratethe original, unmodified API calls from the cache and insert them intoan API call processing queue for further handling. The unmodified APIcalls may cause the API dependencies to return expected results to thetarget application, which may then properly process a transaction.

Combining the API call interception techniques with the intelligentservices pattern of performance modelling may allow the machine learningmodel to train on real world data while having minimal impact on usersin a live environment. Feeding the real data from simulated unhealthyevents to the intelligent services may allow for improved training ofand predictions by the event clustering techniques described above.Detected patterns of failure, due to the nature of machine learningtechniques, may be imperfect and may benefit from continued refinementbased on additional data. Using the API interception test techniquesdescribed herein may allow the machine learning model to fill in gaps inthe data set and confirm detected patterns of failure (or other patternsof performance). The API interception test techniques described hereinmay be embodied in a testing agent configured to perform chaos testingthroughout the system. This “chaos agent” may operate on a test planand/or otherwise select target applications and dependencies. The chaosagent may use the techniques described above to simulate unhealthyoperating statuses at different components of the system, and mayevaluate an impact on other services in the system. This information maybe fed into the intelligent services model to continue to learn how topredict what conditions may lead to the system having an unhealthyoperating status as well as how the system may recover.

Thus, some aspects may provide a computer-implemented method formodifying API calls by a monitored application. The method may beimplemented by any suitable computing device, such as a monitoringdevice. The monitoring device may receive a user command indicating astart of a testing period. The monitoring device may intercept, by atesting agent, a first call in a computing system from a firstapplication to a first API during the testing period. Intercepting thefirst call to the first API may be based on determining that the firstAPI is a dependency of the first application. The monitoring device maymodify, by the testing agent, the first call by mutating at least oneattribute of the first call. The mutation to the at least one attributemay cause the first call to fail. For example, the mutated call mayreturn a bad result not suitable for use by the first application. Othercalls to the first API are unaffected by the mutation to the at leastone attribute of the first call. The monitoring device may cause thecomputing system to process the modified first call and return a resultto the first application based on the mutation to the at least oneattribute. The monitoring device may determine an impact of the modifiedfirst call on the operating status of the first application. Determiningthe impact of the modified first call may comprise determining, by amonitoring application, the operating status of the first applicationusing one or more monitoring interfaces; and determining that the firstapplication has an unhealthy operating status based on at least onemetric provided by a first monitoring interface associated with thefirst application satisfying at least one unhealthy operating statusthreshold.

The monitoring device may cache, by the testing agent, the unmodifiedfirst call. The monitoring device may determine, by a monitoringapplication, whether the first application was able to recover from themodified first call returning a failed result. The first application maybe determined to have been able to recover when the monitoringapplication determines that the first application was able to retrieveinformation associated with the first API from another source.Additionally, and/or alternatively, the first application may bedetermined to have been able to recover when the monitoring applicationdetermines that the first application was able to partially completeprocessing despite not receiving the information requested from thefirst API. Based on determining that the first application was not ableto recover, the monitoring device may cause the computing system toprocess the cached unmodified first call and return a result to thefirst application based on the at least one attribute.

In some implementations, the mutation to the at least one attribute maycomprise a change to any one of a function name associated with thefirst API; a change to a parameter included in the first call; a changeto a destination, container, or scope associated with the first API; anyother suitable mutations that cause the first call to fail; or anycombination thereof.

According to some aspects, another computer-implemented method formodifying results of API calls may be provided. A monitoring device mayreceive a user command indicating a start of a testing period. Themonitoring device may intercept, by a testing agent, a first call in acomputing system from a first application to a first API during thetesting period. A second call to the first API may be unaffected bymodifying the result of the first call. The monitoring device may causethe computing system to process the intercepted first call and return amodified result to the first application. The modified result maysimulate an unhealthy operating status of the first API. The monitoringdevice may determine an impact of the modified result to the first callon the operating status of the first application.

In some implementations, the modified result may simulate an unhealthyoperating status of the first API by simulating one or more of thefollowing: a result with an artificially high response latency; a resultwith an artificially high error rate; a result with an artificially highlikelihood of non-response; any other suitable simulated failure; or anycombination thereof.

As described with respect to modifying the API calls above,implementations related to simulating results may cache the unmodifiedAPI calls and insert them into system queues for processing if themonitored application is unable to recover from the simulated unhealthyoperating status.

According to some aspects, a computer-implemented method may be providedfor training a machine learning model, such as in the intelligentservices features discussed above with respect to FIGS. 12-16. Amonitoring device may configure a monitoring application to monitor afirst application and a plurality of dependencies of the firstapplication using a plurality of monitoring interfaces. The monitoringdevice may collect, by one or more data collecting agents and at a firsttime, first system state information corresponding to the firstapplication and each of the plurality of dependencies, wherein the firstapplication has a healthy status at the first time. The monitoringdevice may receive a user command indicating a start of a testingperiod. The monitoring device may intercept, by a testing agent, a firstcall in a computing system from a first application to a first APIduring the testing period and at a second time. The monitoring devicemay modify, by the testing agent, the first call by mutating at leastone attribute of the first call, wherein the mutation to the at leastone attribute causes the first call to fail. The monitoring device maycause the computing system to process the modified first call and returna result to the first application based on the mutation to the at leastone attribute. Additionally, and/or alternatively, the monitoring devicemay cause the system to return a modified result simulating an unhealthyoperating status of the first API.

The monitoring device may detect, by the monitoring application andbased on the plurality of monitoring interfaces, that the firstapplication has an unhealthy operating status as a result of themodified first call. The monitoring device may collect, by the one ormore data collecting agents and based on detecting that the firstapplication has the unhealthy operating status, second system stateinformation corresponding to the first application and each of theplurality of dependencies. The monitoring device may store the collectedfirst system state information and second system state information in adatabase as a first status record and a second status record,respectively. The monitoring device may train a machine learning modelbased on a plurality of status records including the first status recordand the second status record. Training the machine learning model maycomprise: clustering incident events corresponding to status recordsassociated with the first application having an unhealthy status,wherein clustering the incident events is based on attributes of systemstate information, of a corresponding status record, corresponding toeach of the plurality of dependencies; determining one or more patternsof performance based on the clustered incident events and the firstsystem state information, wherein a first pattern of performance of theone or more patterns of performance indicates a potential correlationbetween a first attribute of the system state information correspondingto the first API and the first application having the unhealthyoperating status; and updating the machine learning model based on thedetermined patterns of performance.

The monitoring device may generate, using the machine learning model andbased on the first pattern of performance, a health report for the firstapplication and the plurality of dependencies. The health report mayindicate a likelihood that the first application will enter an unhealthystatus.

Methods of using API call interception to test and train a machinelearning model may combine aspects described herein regardingintelligent services and API call interception and modification.Implementations may have features similar to those described above withrespect to the intelligent services and API call interception features.

Although the subject matter has been described in language specific tostructural features and/or methodological acts, it is to be understoodthat the subject matter defined in the appended claims is notnecessarily limited to the specific features or acts described above.Rather, the specific features and acts described above are disclosed asexample forms of implementing the claims.

What is claimed is:
 1. A computer-implemented method comprising:configuring a monitoring application to monitor a first application anda plurality of dependencies of the first application using a pluralityof monitoring interfaces; generating a training data set comprising aplurality of incident records, wherein each incident record correspondsto a respective performance incident and comprises system stateinformation corresponding to the first application and one or more ofthe plurality of dependencies during the performance incident;detecting, by the monitoring application and based on the plurality ofmonitoring interfaces, that the first application has an unhealthyoperating status; collecting, by one or more data collecting agents andbased on detecting that the first application has the unhealthyoperating status, first system state information corresponding to thefirst application and one or more of the plurality of dependencies;adding the collected first system state information to the training dataset as a first incident record; training a machine learning model, basedon the training data set, to determine one or more patterns ofperformance based on the system state information of the plurality ofincident records, wherein a first pattern of performance of the one ormore patterns of performance indicates a potential correlation betweenthe first application entering an unhealthy status and a first attributeof the system state information corresponding to a first dependency ofthe plurality of dependencies; detecting, by the monitoring applicationand based on the plurality of monitoring interfaces, a current operatingstatus of the first application and the plurality of dependencies; andgenerating, using the machine learning model and based on the firstpattern of performance and the current operating status, arecommendation regarding operation of the first application or the firstdependency.
 2. The method of claim 1, wherein generating therecommendation regarding the operation of the first application or thefirst dependency comprises: determining, using the machine learningmodel, a suggested action based on incident records corresponding to thefirst pattern of performance.
 3. The method of claim 2, wherein thefirst incident record further comprises information indicating acorrective action taken in response to a corresponding first incidentevent, and wherein determining the suggested action based on incidentrecords corresponding to the first pattern of performance comprises:determining, using the machine learning model, the suggested actionbased on the corrective action taken in response to the first incidentevent.
 4. The method of claim 2, wherein generating the recommendationregarding the operation of the first application or the first dependencyfurther comprises: generating a user notification regarding thesuggested action.
 5. The method of claim 2, wherein generating therecommendation regarding the operation of the first application or thefirst dependency further comprises: automatically implementing, by themonitoring application, the suggested action.
 6. The method of claim 2,wherein generating the recommendation regarding the operation of thefirst application or the first dependency further comprises: generatinga user notification regarding a first portion of the suggested action;and automatically implementing, by the monitoring application, a secondportion of the suggested action.
 7. The method of claim 2, wherein thesuggested action comprises bypassing the first dependency.
 8. The methodof claim 1, wherein the first dependency corresponds to an ApplicationProgramming Interface (API) associated with a resource utilized by thefirst application.
 9. The method of claim 1, wherein the firstdependency corresponds to a network utilized by the first application tocommunicate with another dependency.
 10. The method of claim 1, whereinthe first application is determined to have an unhealthy status based onwhether one or more metrics associated with the first applicationsatisfy one or more operating status thresholds.
 11. The method of claim1, wherein the system state information of the first incident recordthat corresponds to the first dependency comprises informationindicating one or more of: whether a resource associated with the firstdependency is accessible; a response latency associated with requests tothe first dependency; an error rate associated with requests to thefirst dependency; or an error state or error message provided by thefirst dependency.
 12. The method of claim 1, wherein the plurality ofmonitoring interfaces comprises a first monitoring interface configuredto enable monitoring of the first dependency, wherein the firstmonitoring interface is generated by a monitoring interface applicationand is configured to determine at least one metric associated with thefirst dependency, and wherein configuring the monitoring application tomonitor the first application and the plurality of dependenciescomprises configuring the monitoring application to utilize the firstmonitoring interface through at least one monitoring query associatedwith the monitoring interface application.
 13. The method of claim 1,wherein the first pattern of performance is a pattern of failure andindicates a potential correlation between the first attribute of thesystem state information corresponding to the first dependency and thefirst application entering the unhealthy operating status.
 14. Themethod of claim 1, wherein the first pattern of performance is a patternof risk and indicates a potential correlation between the firstattribute of the system state information corresponding to the firstdependency and a level of security risk to the first application. 15.The method of claim 1, wherein the first pattern of performance is apattern of latency and indicates a potential correlation between thefirst attribute of the system state information corresponding to thefirst dependency and a latency associated with requests to the firstapplication.
 16. The method of claim 1, wherein the first incidentrecord further comprises timing information associated with acorresponding first incident event, and wherein determining the firstpattern of performance is based on the timing information associatedwith the first incident event and timing information associated withother incident events.
 17. A system comprising: a first applicationhaving a plurality of dependencies, wherein a first dependency of theplurality of dependencies comprises an Application Programming Interface(API) utilized by the first application; a monitoring interfaceapplication providing a plurality of monitoring interfaces, wherein afirst monitoring interface of the plurality of monitoring interfaces isconfigured to retrieve operating status information for the firstapplication and a second monitoring interface of the plurality ofmonitoring interfaces is configured to retrieve operating statusinformation for the first dependency; a database configured to store atraining data set comprising a plurality of incident records, whereineach incident record corresponds to a respective performance incidentand comprises system state information corresponding to the firstapplication and one or more of the plurality of dependencies during theperformance incident; and a monitoring device implementing a monitoringapplication and comprising one or more processors and memory storinginstructions that, when executed by the one or more processors, causethe monitoring device to: configure the monitoring application tomonitor the first application and the plurality of dependencies of thefirst application using the plurality of monitoring interfaces; detect,based on the plurality of monitoring interfaces, that the firstapplication has an unhealthy operating status; collect, by one or moredata collecting agents and based on detecting that the first applicationhas the unhealthy operating status, first system state informationcorresponding to the first application and each of the plurality ofdependencies; store the collected first system state information in thedatabase as a first incident record of the training data set; train amachine learning model, based on the training data set, to determine oneor more patterns of performance based on the system state information ofthe plurality of incident records, wherein a first pattern ofperformance of the one or more patterns of performance indicates apotential correlation between the first application entering anunhealthy status and a first attribute of the system state informationcorresponding to a first dependency of the plurality of dependencies;detect, based on the plurality of monitoring interfaces, a currentoperating status of the first application and the plurality ofdependencies; and generate, using the machine learning model and basedon the first pattern of performance and the current operating status, arecommendation regarding operation of the first application or the firstdependency.
 18. The system of claim 17, wherein the first incidentrecord further comprises information indicating a corrective actiontaken in response to a corresponding first incident event, and whereinthe instructions cause the monitoring device to generate therecommendation regarding the operation of the first application or thefirst dependency by causing the monitoring device to: determine, usingthe machine learning model, a suggested action based on incident recordscorresponding to the first pattern of performance.
 19. The system ofclaim 17, wherein the instructions cause the monitoring device toconfigure the monitoring application to monitor the first applicationand the plurality of dependencies by causing the monitoring device to:configure the monitoring application to utilize the first monitoringinterface through at least one monitoring query associated with themonitoring interface application.
 20. One or more non-transitorycomputer readable media storing instructions that, when executed by oneor more processors, cause a monitoring device to perform stepscomprising: configuring a monitoring application to monitor a firstapplication and a plurality of dependencies of the first applicationusing a plurality of monitoring interfaces, wherein the plurality ofmonitoring interfaces comprises: a first monitoring interface configuredto determine incident attribute information associated with the firstapplication; and a second monitoring interface configured to determineincident attributed information associated with a first dependency ofthe plurality of dependencies; generating a training data set comprisinga plurality of incident records, wherein each incident recordcorresponds to a respective performance incident and comprises systemstate information corresponding to the first application and one or moreof the plurality of dependencies during the performance incident;detecting, as a first incident event, by the monitoring application, andbased on the plurality of monitoring interfaces, that the firstapplication has an unhealthy operating status; collecting, by one ormore data collecting agents and based on detecting that the firstapplication has the unhealthy operating status, first system stateinformation corresponding to the first application and one or more ofthe plurality of dependencies; adding the collected first system stateinformation to the training data set as a first incident record;updating the first incident record to indicate a corrective action takenin response to the first application having the unhealthy state;training a machine learning model, based on the training data set, todetermine one or more patterns of performance based on the system stateinformation of the plurality of incident records, wherein a firstpattern of performance of the one or more patterns of performanceindicates a potential correlation between the first application enteringan unhealthy status and a first attribute of the system stateinformation corresponding to a first dependency of the plurality ofdependencies; detecting, by the monitoring application and based on theplurality of monitoring interfaces, a current operating status of thefirst application and the plurality of dependencies; and determining,using the machine learning model and based on the first pattern ofperformance and the current operating status, a suggested action basedon the corrective action taken in response to the first incident event.